Data security system and with territorial, geographic and triggering event protocol

ABSTRACT

The method, program and information processing system secures data, and particularly security sensitive words, characters or data objects in the data, in a computer system with territorial, geographic and triggering event protocols. The method and system determines device location within or without a predetermined region and then extracts security data from the file, text, data object or whatever. The extracted data is separated from the remainder data and stored either on media in a local drive or remotely, typically via wireless network, to a remote store. Encryption is used to further enhance security levels. Extraction may be automatic, when the portable device is beyond a predetermined territory, or triggered by an event, such a “save document” or a time-out routine. Reconstruction of the data is permitted only with security clearance and within certain geographic territories. An information processing system for securing data is also described.

This is a continuation of patent application Ser. No. 10/998,366, filedNov. 26, 2004, now U.S. Pat. No. 7,669,051, which is a regular patentapplication based upon and claiming the benefit of provisional patentapplication No. 60/525,507, filed Nov. 26, 2003, and is acontinuation-in-part of patent application Ser. No. 10/277,196 filed onDec. 31, 2002, now U.S. Pat. No. 7,322,047, and patent application Ser.No. 10/115,192 filed on May 23, 2002, now U.S. Pat. No. 7,349,987, andSer. No. 10/155,525 filed on May 23, 2002, now U.S. Pat. No. 7,191,252,and which was a regular patent application claiming the benefit ofprovisional patent applications 60/400,062 filed on Aug. 2, 2002,60/400,112 filed on Aug. 2, 2002, 60/400,406 filed on Aug. 2, 2002, and60/400,407 filed on Aug. 2, 2002, and is a continuation-in-part ofpatent application Ser. No. 10/008,209 filed on Dec. 6, 2001, now U.S.Pat. No. 7,140,044, and Ser. No. 10/008,218 filed on Dec. 6, 2001, nowU.S. Pat. No. 7,146,644, and is a continuation-in-part of patentapplication Ser. No. 09/916,397 filed Jul. 27, 2001, now U.S. Pat. No.7,103,915, which is a regular patent application is based uponprovisional patent application No. 60/260,398, filed Jan. 9, 2001;application No. 60/287,813, filed on May 2, 2001; application no.60/267,944, filed Feb. 12, 2001; application No. 60/247,242, filed Nov.13, 2000 and application No. 60/247,232, filed Nov. 13, 2000, thecontents of the foregoing applications and patents is incorporatedherein by reference thereto.

The present invention relates to a data security system and method and,more specifically, to a process, program and system which operates tosecure files and data objects in a computer system and network withmultiple independent levels of security (MILS). The invention extractson a granular basis, disperses, via a controlled release of datasegments, to storage locations, and permits reconstruction utilizingsecurity protocols to provide a security system for data.

BACKGROUND OF THE INVENTION

The extensive use of computers and the continued expansion oftelecommunications networks, particularly the Internet, enablebusinesses, governments and individuals to create documents (whethertext, images, data streams or a combination thereof, sometimesidentified as “data objects”) and distribute those documents widely toothers. Although the production, distribution and publication ofdocuments is generally beneficial to society, there is a need to limitthe distribution and publication of security sensitive words, charactersor icons. Concerns regarding the privacy of certain data (for example,an individual's social security number, credit history, medical history,business trade secrets and financial data) is an important issue insociety. In another words, individuals and businesses have a greaterconcern regarding maintaining the secrecy of certain information in viewof the increasing ease of distribution of documents through computernetworks and the Internet.

U.S. Pat. No. 6,055,544 to DeRose et al. discloses the generation ofchunks of a long document for an electronic book system. DeRose '544discloses solutions available to book publishers to publish books inelectronic format on the worldwide web. One of the problems is that thebooks are published as small document fragments rather than publishingan entire book which, due to the formatting, protocol and commandstructure on the Internet, downloads an entire book to the user. Theproblem involved with publishing small documents is that there is norelationship to other portions of the book. See col. 3, lines 51-55 andcol. 4, lines 3-5. One methodology to solve the problem involvesinserting hypertext links in the book. This places a large burden on thebook publisher. Col. 4, lines 19-21. Accordingly, it is an object ofDeRose '544 to provide a mechanism for accessing only a portion of alarge, electronically published document and automatically determiningwhat portion of the document to download to the user based upon userselections that is, previous portions and subsequent portions of thedocument are downloaded with the selected portion, without maintainingseparate data files for each portion of the document. Col. 4, lines34-39. In other words, if a person wanted to access chapter 4 of a text,the system in DeRose '544 would display chapter 4, chapter 3 (thepreceding chapter) and chapter 5 (the subsequent chapter). Thispublishing of portions of the document utilizes a subset of marked upelements established as being significant and a second subset ofelements being less significant. For example, “Title elements” define atable of contents. A first representation of the document structuredefined by all of the marked up elements may be used in combination witha second representation of the document structure defined only by thesignificant elements to control selection of portions of the documentssuch that previous and subsequent portions may be selected and renderedin a consistent and intuitive manner.” Col. 4, lines 38-55. A computersystem stores a first representation of the hierarchy of all elements inthe electronic document. As example, this may be each chapter in itsentirety. The computer also stores a second representation of thehierarchy of only significant elements in the electronic document. As anexample, this may be a listing of each chapter without the textassociated with the chapter. In response to request for a portion of thedocument, the computer system selects the portion defined by thesignificant element in the second representation. For example, if theuser requested chapter 4, the entirety of chapter 4 would be downloadedfrom the web server to the client computer. In addition to rendering orpublishing the selected chapter, the computer system looks to therelationship of the elements in the first representation of thehierarchy (the list of all chapters) and downloads from the web serverthe adjacent chapters. In this example, this would involve downloadingchapters 3 and chapter 5. In a further embodiment, the computer systemselects only a leaf element of the second representation as asignificant element during the download. See the Summary of theInvention, col. 4, line 40 through col. 6, line 14.

U.S. Pat. No. 5,832,212 to Cragun et al. discloses a censoring browsermethod for viewing downloaded and downloading Internet documents. Theabstract describes the system as including a user profile including userselected censoring parameters. Data packet contents are received fromthe Internet and the packets are compared with the user selectedcensoring parameters. Responsive to the comparison, the received datapacket contents are processed and selectively displayed. The userselected censoring parameters include censored words and word fragments,and user selected categories. Compared word and word fragments can beremoved and selectively replaced with predefined characters oracceptable substitute words. Tallies of weights for user selectedcategories are accumulated and compared with used selected thresholdvalues. A predefined message can be displayed responsive to anaccumulated tally exceeding a user selected threshold value withoutdisplaying the received data packet contents.

U.S. Pat. No. 6,094,483 to Fridrich discloses an encryption methodologyhiding data and messages in images. In one application of the system inFridrich '483, a method is disclosed of embedding a secret digitalsquare image with 256 gray levels within an image carrier. The secretimage is first encrypted using a chaotic Baker map. The resulting imageis a random collection of pixels with randomly distributed gray levelswithout any spatial correlations. The carrier image is twice the size(height and width or 2n×2m) the secret image with 256 gray levels. Thecarrier image is modified according to a mathematical formula.

U.S. Pat. No. 5,485,474 to Rabin discloses a scheme for informationdispersal and reconstruction. Information to be transmitted or stored isrepresented as N elements of a field or a computational structure. TheseN characters of information are grouped into a set of n pieces, eachcontaining m characters. col. 1, lines 37-46. The system is used forfault tolerance storage in a partitioned or distributed memory system.Information is disbursed into n pieces so that any m pieces suffice forreconstruction. The pieces are stored in different parts of the memorystorage medium. A fairly complex mathematical algorithm is utilized toprovide reconstruction of the information utilizing no fewer than mpieces.

U.S. Pat. No. 6,192,472 B1 to Garay et al. discloses a method andapparatus for the secure distributed storage and retrieval ofinformation. Garay '472 identifies the problem as how to storeinformation in view of random hardware or telecommunications failures.Col. 1, lines 17-20. The initial solution is to replicate the storeddata in multiple locations. Col. 1, lines 28-31. Another solution is todisburse the information utilizing in Information Disbursal Algorithm(IDA). The basic approach taking in IDA is to distribute the informationF being stored among n active processors in such a way that theretrieval of F is possible even in the presence of up to t failed(inactive) processors. Col. 1, lines 40-44. Another issue is theutilization of cryptographic tools. With the use of tools calleddistributed fingerprints (hashes), the stored data is distributed usingthe fingerprints and coding functions to determine errors. In this way,the correct processors are able to reconstruct the fingerprint using thecode's decoding function, check whether the pieces of the file F werecorrectly returned, and finally reconstruct F from the correct piecesusing the IDA algorithm. Col. 2, lines 50-59. Garay '472 also disclosesthe use of Secure Storage and Retrieval of Information (SSRI) with theadded requirement of confidentiality of information. Col. 3, line 56.With this added requirement, any collision of up to t processors (exceptones including the rightful owner of the information) should not be ableto learn anything about the information. Confidentiality of informationis easily achieved by encryption. Col. 3, lines 56-61. The issueinvolves encryption key management, that is, the safe deposit ofcryptographic keys. Garay '472 discloses confidentiality protocolutilizing distributed key management features. This mechanism allows theuser to keep his or her decryption key shared among several n servers insuch a way that when the user wants to decrypt a given encrypted text,the user would have to interact with a single server (the gateway) toobtain the matching plaintext while none of the servers (including thegateway) gets any information about the plaintext. Col. 4, lines 5-14.

U.S. Pat. No. 5,996,011 to Humes discloses a system and a method forfiltering data received over the Internet by a client computer. Thesystem restricts access to objectionable or target data received by aclient computer over an Internet by a web server by filteringobjectionable data from the data received. The Humes '011 system filtersthe data “on the fly.” Further, the Humes '011 system can be applied toprocess any type of target data from the data received and displayed tothe user. Col. 2, lines 32-44. If the web page requested by the usercontains only a minimum amount of objectionable or target data, the userreceives only a portion of the filtered web page for viewing. Hume '011also provides that if the web page contains a large amount ofobjectionable material, the system blocks the entire display of the webpage on the user's computer monitor. Col. 2, lines 56-62. Hume '011provides three levels of filtering. At the first level, if the domainname contains objectionable words or material, the initial download fromthe domain is blocked. At the second level, the text in the download isfiltered and objectionable words are replaced with a predetermined icon,for example, “—”. Col. 3, lines 32-35. The filter uses a dictionary.Col. 3, lines 45-48. The filtered out words are counted. If the finalscore of “filtered out” material exceeds a predetermined threshold, theentire page is blocked from the user's view. Col. 4, lines 2-4.

U.S. Pat. No. 5,905,980 to Masuichi, et al., discloses a documentprocessing apparatus for processing various types of documents, a wordextracting apparatus for extracting a word from a text item includingplural words, a word extracting method used in the document processingapparatus, and a storage medium for storing a word extracting program.Extracted words are associated with other words via an algorithm. Theextracted words and associated words are used as a search index for thedocument.

U.S. Pat. No. 5,996,011 to Humes discloses a computer based system andmethod for filtering data received by a computer system, and inparticular, for filtering text data from World Wide Web pages receivedby a computer connected to the Internet, for purposes of restrictingaccess to objectionable web sites.

U.S. Pat. No. 6,148,342 to Ho discloses a system for managing sensitivedata. The system prevents a system administrator from accessingsensitive data by storing data and identifier information on differentcomputer systems. Each query from a user's terminal is encrypted usingtwo codes, the first code readable only by an identifier database and asecond code readable only by a data access database. The data is routedfrom the user's source terminal to the identifier database at the firstcomputer. The first computer/identifier database first verifies theuser's ID and the security clearance for the requested information andsubstitutes a second internal ID to the data packet/query. The modifiedquery is then presented to the data access database (the secondcomputer) and, subject to a second security clearance, the response tothe data query is sent back to the user's source terminal.

A publication entitled “Element-Wise XML Encryption” by H. Maruyama T.Imamura, published by IBM Research, Tokyo Research Laboratory, Apr. 20,2000 discloses a protocol or process wherein certain parts of an XMLdocument are encrypted and the balance of the plaintext is notencrypted. The protocol is useful in three party transactions, forexample, when a buyer sends an order in an XML document to a merchantwhich contains the buyer's credit card information. The credit cardinformation is sent to a credit company and the merchant does not needto know the credit number as long as he obtains clearance orauthorization from the credit card company. Another instance is anaccess control policy which requires a certain part of an XML documentto be readable only by a privileged user (for example, a manager couldaccess the salary field in an employee records but others could onlyaccess name, phone and office fields). The Imamura article discussesencryption protocol, the delivery of keys and the utilization ofcompression. The article does not discuss separate storage of thecritical data apart from the plaintext of the XML document.

The Ingrain i100 Content Security Appliance product brochure, availablein June, 2001, discloses a system coupled to multiple web servers(computers) to accelerate secured transactions between multiple clientcomputers (over the Internet) and prevents Secure Sockets Layer SSLperformance bottlenecks by performing high-performance SSL handshakesand encrypting all data sent to back end servers using long-lived SSLsession.

An article entitled “Survivable Information Storage Systems” by J. WylieM. Bigrigg, J. Strunk, G. Ganger, H. Kiliccote, and P. Khosla, publishedAugust, 2000 in COMPUTER, pp. 61-67, discloses a PASIS architecturewhich combines decentralized storage system technologies, dataredundancy and encoding and dynamic self-maintenance to createsurvivable information storage. The Bigrigg article states that toachieve survivability, storage systems must be decentralized and mustspread information among independent storage nodes. The decentralizedstorage systems partition information among nodes using datadistribution and redundancy schemes commonly associated with disc arraysystem such as RAID (redundancy array of independent discs) insuringscalable performance for tolerance. P. 61. Thresholding schemes—alsoknown as secret sharing schemes or information disbursal protocols—offeran alternative to these approaches which provide both informationconfidentiality and availability. These schemes and codes, replicate,and divide information to multiple pieces or shares that can be storedat different storage nodes. The system can only reconstruct theinformation when enough shares are available. P. 62. The PASISarchitecture combines decentralized storage systems, data redundancy andencoding and dynamic self-maintenance to achieve survivable informationstorage. The PASIS system uses threshold schemes to spread informationacross a decentralized collection of storage nodes. Client-side agentscommunicate with the collection of storage node to read and writeinformation, hiding decentralization from the client system. P. 62. Thedevice maintains unscrubable audit logs—that is, they cannot be erasedby client-side intruders—security personal can use the logs to partiallyidentify the propagation of intruder-tainted information around thesystem. P. 63. The article states that, as with any distributed storagesystem, PASIS requires a mechanism that translates object names—forexample file names—to storage locations. A directory service maps thenames of information objects stored in a PASIS system to the names ofthe shares that comprised the information object. A share's name has twoparts: the name of the storage node on which the share is located andthe local name of the share on the storage node. A PASIS file system canembed the information needed for this translation in directory entries.P. 63. To service a read request, the PASIS call client (a) looks up inthe directory service the names of the n shares that comprise theobject; (b) sends read requests to at least m of the n storage nodes;(c) collects the responses and continues to collect the responses untilthe client has collected m distinct shares; and (d) performs theappropriate threshold operation on the received shares to reconstructthe original information. P. 63. The p-m-n general threshold schemebreaks information into n shares so that (a) every shareholder has oneof the n shares; (b) any m of the shareholders can reconstruct theinformation; and (c) a group of fewer than p shareholders gains noinformation. P. 64. Secret-sharing schemes are m-m-n threshold schemesthat trade off information confidentiality and information availability:the higher the confidentiality guaranty, the more shares are required toreconstruct the original information object. Secret sharing schemes canbe thought of as a combination of splitting and replication techniques.P. 64. The article discusses the technique of decimation which dividesinformation objects into n pieces and stores each piece separately.Decimation decreases information availability because all shares must beavailable. It offers no information theoretic confidentiality becauseeach share expresses 1/n of the original information. P. 64. Shortsecret sharing encrypts the original information with a random key,stores the encryption key using secret sharing, and stores the encryptedinformation using information disbursal. P. 64. An extension to thethreshold schemes is cheater detection. In a threshold scheme thatprovides cheater detection, shares are constructed in such a fashionthat a client reconstructing the original information object can tell,with high probability, whether any shares have been modified. Thistechnique allows strong information integrity guarantees. Cheaterdetection can also be implemented using cryptographic techniques such asadding digest to information before storing it. P. 65. For the highestarchitecture to be effective as possible, it must make the fullflexibility of threshold schemes available to clients. The articlebelieves this option requires automated selection of appropriatethreshold schemes on a per object basis. This selection would combineobject characteristics and observations about the current systemenvironment. For example, a client would use short secret sharingprotocol to store an object larger than a particular size andconventional secret sharing protocol to store smaller objects. The sizethat determines which threshold scheme to use could be a function ofobject type, current system performance, or both. P. 67.

The MAIL sweeper and MIME sweeper programs by ReSoft International usesa keyword search engine to review e-mails for certain words or phrases.IF the e-mail does not clear the filter, the addressee data must clear adata base check to protect the privacy and/or confidentiality of thee-mail data. See re-soft.com/product/mimesweep. The Aladdin eSafeAppliance restricts outgoing e-mails from sending classifier orprohibited content. See aks.com/news/2001/esafe.

With respect to GPS or global positioning systems, U.S. Pat. No.5,982,897 to Clark; U.S. Pat. No. 6,370,629 to Hastings; U.S. Pat. No.6,154,172 to Piccionelli; U.S. Pat. No. 5,887,269 to Brunts; U.S. Pat.No. 5,842,023 to Tsumura; U.S. Pat. No. 5,778,304 to Grube; and U.S.Pat. No. 5,757,916 to MacDoran disclose the use of GPS triggered systemswhich deny access to information when that information is requested by aportable computing device, or limit the delivery of information to aportable device based upon the location of the device obtained from aGPS locator chip or system. Encryption of data to and from GPS locateddevices is also disclosed in one or more of the GPS references.

OBJECTS OF THE INVENTION

It is an object of the present invention to provide a data securitysystem, an information processing system and a method for securelystoring data and rebuilding that data in the presence of an adequatesecurity clearance.

It is another object of the present invention to provide a method forsecuring data on a single personal computer (PC), on a plurality ofcomputers linked together through a local area network (LAN) or a widearea network (WAN) or the Internet.

It is a further object of the present invention to provide a method forsecuring data utilizing a client-server computer system. Theclient-server computer system may be implemented over the Internet. Thesecurity system may be provided to the public, to government or toprivate entities as an Application Service Provider or ASP over theInternet.

It is a further object of the present invention to provide a method forsecuring data which is highly flexible and programmable by a user.

It is an additional object of the present invention to enable the userto establish (a) the scope of the security sensitive words, charactersor icon, data objects, (b) the future use (or destruction or encryption)of a filter enabling extraction of security sensitive data, (c) theselection of storage locations (local, removable, in an LAN, a WAN or onthe Internet) for extracted data and remainder or common data and (d)one or multiple levels of security limiting full reconstruction andenabling partial reconstruction of the extracted data and the remainderor common data.

It is another object of the present invention to establish and managethe separation of user-based communities of interest based uponcryptographically separated, need to know security levels.

It is another object to provide an adaptive system responsive to hackingattempts and hacking attacks.

These steps may be completely automated (after some parameters are setor programmed by a system administrator), may be fully programmable bythe user, or may be a combination of automated and manual controlsimplemented by the systems administrator and/or the user-client.

It is an object of the present invention to parse, disperse andreconstruct the data or data object thereby enabling secure storage ofthe data. For example, financial data maintained by an institute, can beparsed with an algorithm, the parsed segments dispersed off-site andaway from the financial institute, and, upon appropriate securityclearance, the dispersed data can be reconstructed to duplicate thedata. Large distribution of parsed data is contemplated by this aspectof the invention. The original data remains stable, operable andimmediately useful. The securing dispersed data is a back-up of theoriginal data.

It is a further object of the present invention to secure e-mail datatransmissions and web browser transmissions by extraction of securitysensitive data, facilitating the remote storage of said data and sendingremainder data to the e-mail addressee or the recipient.

It is another object of the present invention to use fine-grainedselection of security critical data, extraction and encryption andseparate storage of the secured data. The parsing or filtering ofplaintext, data object, file or data stream thereby bridges the gapbetween full encryption of the plaintext etc. and no encryption. Thepresent system is therefore a more efficient use of processing speeds,times, and storage resources.

It is a further object to create a credit card number or financial datascrubber. The scrubber may be employed to remove any security criticaldata.

It is another object of the present invention to permit the user todecide on and select a level of risk he or she believes appropriate byselecting no, minimal, intermediate or maximum levels of data security.

It is another object of the present invention to permit the user toaccess data security risks, access data processing resources (processingtime, storage facilities, data access time, etc.) and select a securitylevel which balances risks and resources.

It is a further object of the present invention to secure files and dataobjects in portable computing devices. This object is accomplished, inwhole or in part, by the system or method which extracts, disperses, viaa controlled release of data segments to storage locations, and permitsreconstruction utilizing security protocols to provide a security systemfor data.

It is another object of the present invention to permit the scrubbingsecurity icons from maps, credit card data or financial data from text,a data object or data stream.

It is a further object of the present invention to provide a method,process and system for handling sensitive words, characters and dataobjects (“words/objects”) in a MILS or multiple independent levels ofsecurity which MILS systems are currently used by various governmentalentities.

It is an additional object of the present invention to modify theexisting separated network, break free of the prior art constraints, andenable collaborative sharing and editing of documents across multiplesecurity levels.

It is another object of the present invention to provide cross domainexchanges of documents and permit collaboration on cross-domain basis.

It is a further object of the present invention to (a) permitmulti-level documents, that is, single documents which contain multiplesections of varying classification and compartmentalization; (b) promotesecrecy whereby users may never view sections of documents for whichthey do not have clearance or approval; (c) enhance editing, that is, tosave a document without disturbing sections of the document for whichthe editing party does not have sufficient clearance and approval; and(d) provide a high level of assurance in that the solution iscertifiable for deployment in secret and below environments.

It is an additional object of the present invention to deploy theinventive solution to potential applications in a wide range of publicand commercial settings. For example, patient records have stringentrequirements on releasability, yet multiple individuals have needs toaccess and update information. Similarly, universities requireconfidentiality of student records, and grades, again with many accessroles defined. In the commercial world, inter-corporate collaborationcan be significantly enhanced through the use of shared documents thatlimit information exposure, from confidential comments, throughproprietary information, to enforcing Chinese wall style integritypolicies.

It is a further object of the present invention to provide an adaptivefilter which can be built for single or multiple uses by (a) accepting abase set of security sensitive words, characters, icons and/or dataobjects and then (b) building a filter which identifies the sensitivewords/objects in the compilation of additional data (typically networkedto the user's filter generator), and retrieves contextual, semiotic andtaxonomic words/objects from the additional data compilation that arerelated to the sensitive words/objects.

It is an additional object of the present invention to provide anadaptive filter that can be used to defeat inference engine attacks onthe secured document by construction the filter at each security sessionor periodically.

It is another object of the present invention to provide an adaptivefilter, an editor and in general a security system which representsmultiple layers of defenses in depth.

It is a further object of the present invention to provide a basiceditor which output matches the current protocols for various securitylevels, which can be configured to match security concerns withcompliance with law, regulation or policy, privacy, national,organizational or private security concerns, which can be added to theadaptive filter, and which provide the user with choices of securedocument storage, dispersion, survival and “pay per view” or thepurchase of sensitive word/objects to complete a partially re-assembleddocument.

It is a further object of the present invention to provide an inventivesystem that adopts an information rights management approach rather thanlimiting access to information due to the ownership of the network.

It is an additional object of the present invention to provide a systemwhich is decentralized and distributed in a coordinated environmentwherein different entities can share information and which facilitatesthe sharing of all information across all levels of security andprovides an automated enforcement of policy.

SUMMARY OF THE INVENTION

The method for securing data in a computer system in one embodimentincludes establishing a group of security sensitive words, characters,icons, data streams or data objects, filtering the data input from adata input device and extracting the security sensitive data. Theextracted data is separated from the remainder data and is separatelystored. In one embodiment on a personal computer (PC) system, theextracted data and the remainder or common data is stored in different,distributed memory segments. In a network implementation, the extracteddata may be stored in one computer and the remainder or common data maybe stored in another computer. In a client-server implementation, theserver may direct storage of the extracted data to a different locationthan the remainder data, either on the server or on a further memorysystem (computer) interconnected to the server or on the client computerand in distributed memory segments. A map may be generated by a softwaremodule or sub-system indicating the location of the extracted data andthe remainder data in the network. The filter may be destroyed (via adeletion routine) or may be retained for future use by the user. Ifretained, encryption is preferred. The map may be stored on the clientcomputer or the user's PC or may be stored on the server. Copies of themap may be removed (deleted) from the user's PC or the client computer.The map may be encrypted. The extracted data and/or the remainder datamay be removed (deleted or scrubbed) from the originating computer.Encryption can be utilized to further enhance the security levels of thesystem. All transfers of the filter between the client to the server maybe encrypted, and all data (whether extracted data or remainder data)may be encrypted prior to storage in the distributed memory. Anytransfer of extracted data or remainder data or maps or filters mayinclude an encryption feature. Reconstruction of the data is permittedonly in the presence of a predetermined security clearance. A pluralityof security clearances might be required which would enable acorresponding plurality of reconstructing users to view all or portionsof the data. Persons with low level security clearance would only bepermitted to have access to low level extracted data (low level securitysensitive data) and the common data. Persons with high level securityclearances would be permitted access to the entire documentreconstituted from the extracted data and the remainder data. A computerreadable medium containing programming instructions carrying out themethodology for securing data is also described herein. An informationprocessing system for securing data is also described.

In another embodiment, the method for securing data in a computernetwork and transparently establishing and managing the separation ofuser-based communities of interest based upon cryptographicallyseparated, need to know, security levels, by necessity, utilizescommunities of interest representing a plurality of users havingcorresponding similar security levels, each with a respective securityclearance. In other words, all members of Community A have the samesecurity level and security clearance, which is different than the usersof Community B which have a different security level and securityclearance. The method and the computer media containing programminginstructions includes filtering data from the data input computer,extracting security sensitive words, phrases, characters, icons, or dataobjects and forming subsets of extracted data and remainder data. Thesubsets of extracted data are stored in one or more computer memories inthe network identified as extracted stores. The remainder data is alsostored in the network if necessary. Reconstruction of some or all of thedata via one or more of the subsets of extracted data and the remainderdata is permitted only in the presence of a predetermined securityclearance from the plurality of security levels. The cryptographicallyseparated, need to know, security levels correspond to respective onesof the plurality of security levels and the method includes, in oneembodiment, encrypting subsets of extracted data with correspondingdegrees of encryption associated with the plurality of security levels.During reconstruction, all or a portion of the plaintext data isdecrypted only in the presence of the respective security level. Theinformation processing system which secures data per the community ofinterest security level in the includes a data filter for the data inputfrom the data input computer which extracts the security sensitivewords, phrases, icons or data objects. A system and a methodology forstoring the subsets of extracted data and remainder data is provided anda compiler permits reconstruction of some or all of the plain text datain the presence of an appropriate security clearance level. Multiplelevel encryption in one document is also available.

An adaptive method of securing data responsive to a plurality of hackingevents utilizes a hacking monitor which generates a correspondingplurality of hack warnings dependent upon the severity of the hackingattack. Based upon respective ones of the hacking or hack warnings, datais filtered to extract security sensitive words, phrases etc. and theextracted data and the remainder data (if necessary) is stored based onthe degree of hack warning. Reconstruction is permitted of some or allthe data utilizing the extracted data and the remainder data only in thepresence of the predetermined security clearance level. Automaticreconstruction is permitted after the hack attack terminates. The methodsometimes includes encrypting extracted data dependent upon the degreeor severity of the hack warning and decrypting that data duringreconstruction. A computer readable medium containing programminginstructions similar to the method is also provided. The informationprocessing system includes a filter which is adjusted based upon thedegree of hack warning to extract security sensitive words. A storagesystem stores extracted data and remainder data (if necessary) basedupon the level of the hack warning and a compiler is used to reconstructthe data in the presence of the appropriate security clearance level.

The parsing and dispersion aspects of the present invention enable theuser to parse, disperse and reconstruct the data or data object therebyenabling secure storage of the data. The original data may be maintainedin its original state and stored as is customary, encrypted ordestroyed. For example, financial data may be maintained by an institutein its original state, and a copy thereof can be parsed with analgorithm, the parsed segments dispersed off-site, (that is, separatedand stored in extract and remainder stores or computer memories), awayfrom the financial institute, and, upon appropriate security clearance,the dispersed data can be reconstructed to duplicate the data. Largedistribution of parsed data is contemplated by this aspect of theinvention. The original data remains stable, operable and immediatelyuseful in its stored location. The secured and dispersed data is aback-up of the original data. Destruction of the original source is alsoan alternative embodiment.

Another embodiment of the present invention operates in an e-mail or aweb browser environment. In a specific embodiment, the inventionoperates as a credit card or financial data scrubber. The e-mail datahas one or more security sensitive words, characters or icons and themethod or computer program works in a distributed computer system with aremote memory designated as an extract store. The method extracts thesecurity sensitive words, characters or icons from said e-mail data toobtain extracted data and remainder data therefrom. The extracted datais stored in the extract store. The methodology emails the remainderdata to the addressee. The addressee is permitted to retrieve theextracted data from said extract store only in the presence of apredetermined security clearance and hence, reconstruct the e-mail datawith said extracted data and remainder data. The program and method onthe user's e-mail device extracts the security sensitive data,facilitates storage of the extracted data in said extract store and,emails the remainder data to the addressee. Rather than extractingsecurity data, the method and program may parse the data. The method andprogram for safeguarding data entered via a browser involves extractingsecurity sensitive data, facilitating the storage of such data in theremote store, and forwarding the remainder data to a targeteddestination in the distributed computer system. The scrubber may utilizea pop-up window to enable user activation of the scrubber on an email ora web browser communication.

In a computer system with a portable computing device, the methodsecures security sensitive words, characters, icons, data streams ordata objects by determining when the portable computing device is withinor without a predetermined region and then extracting the securitysensitive data from the file, text, data object or whatever. Theextracted data is separated from the remainder data and is separatelystored either on media in a local drive or remotely, typically viawireless communications network, to a remote store. In a militaryapplication, security icons on a map are extracted, remotely stored andtherefore access to the secured data is limited geographically andfurther by password or pass code control. Encryption can be utilized tofurther enhance the security levels of the system. Extraction may beautomatic, that is, when the portable device is beyond a predeterminedterritory, or it may be triggered by an event, such a “save document” ora time-out routine. Reconstruction of the data is permitted only in thepresence of a predetermined security clearance and within certaingeographic territories. A computer readable medium containingprogramming instructions carrying out the methodology for securing datais also described herein. An information processing system for securingdata is also described.

The present invention can be configured in various forms. The followingdescriptions discuss various aspects of the invention and furtheradvantages thereof.

The present invention enables the user to obtain automaticclassification and declassification of documents on the fly. Theextraction process downgrades and declassifies documents on the fly (inreal time) so that they are useless to unauthorized parties.Presentation by a user of a valid security clearance enablessubstantially instant and seamless reconstitution of the securitysensitive content.

The present invention can be configured to automatically secureunstructured documents and freeform documents, for example, e-mail,instant messaging, or Word documents (input documents).

The present invention may also be configured to automatically securestructured documents and transactional documents for example, databaserecords or XML documents (input documents).

The present invention introduces flexibility into security management,risk management of data, data storage, and data flows and enableautomatic responsiveness to threats. The innovation enables automaticresponse to security challenges and threats. The innovation canmaintain, upgrade and downgrade the levels of security throughimplementation of a leveled granular extraction process and acontrolled-release mechanism. Attacks or other external events cantrigger a response in the form of higher extraction levels, expandingthe type of content extracted, and constricting the release of importantand critical data control from storage. How much and what to extractdepends on the level of threat or perceived risk. In same manner, theamount and type of content released from storage and reconstituteddepends on the level of threat or risk perceived by the system. Thesystem delivers a level of security protection specifically matched tomeet security needs as dictated by the changing security threats,environment, policy and organizational needs.

The present invention enables a user to introduce and maintain multiplelevels and standards of security. It is common knowledge that thehighest security is delivered through total separation. Whereas thisconcept has only been implemented physically or by isolating computerenvironments, the invention achieves this concept of total separationwithin open and networked computer environments. The invention canimplement a total physical and logical separation of important andcritical data from its context and can preclude access to thatinformation without a needed granular access permission. The inventionis also effective for sounds and images (data objects or data streamswith security words, characters, terms, icons or other data objects).

Some aspects of the present invention introduce a new method andapparatus to monitor security sensitive content through a process ofanalysis and categorization of each word or character, in a document.The invention enables processing of every character, word, number, asthey are entered into a document and categorizes each into one of manypre-set categories. Categories can include surnames, locations,currency, defined terminology, and unknown words or phrases.

The present invention, in some embodiments, introduces a method andapparatus for plain text extraction and dispersion of security sensitivedata. Maximum security with traditional methods encumbers free flow ofinformation and business efficiency. Encryption burdens computer systemswith high performance overhead, and its use is limited to the partieswho have decryption capabilities. The invention offers a new solution.It enables leveled security in plain-text format, in addition to none,some, or all of pre-existing encryption, decryption, firewalls, andother security infrastructure. The level of security is determined bythe extent of the security sensitive items, selection process; theextent of dispersal to various distributed storage locations; the rulesfor controlled-release from storage; and the access rules governing thereconstitution of extracts into the secured document.

In this configuration of the invention, the extractions are dispersed todistributed storage on a granular level. The rest of the document can bestored at its original location and/or other storage locations.Dispersal of extractions introduces new barriers not existing in currentsecurity. In certain situations, an attacker has first to find the(encrypted) map to the locations, then locate and access the distributedstorage, get the data released from the controlled-release storage, andfinally reintegrate the extracts into the appropriate documents.

Further, the present invention enables the user to implement a methodand apparatus for targeted extraction and encryption of securitysensitive items. The extraction capabilities of the system enabledifferent workflow modes. The system enables extraction and encryptionof important and critical content. In essence, only the critical contentis extracted and/or encrypted, whereas the rest of the document remainsas plaintext. This capability enables the following: advantages andflexibility; and the ability to share the document within theorganization or transmit it to outsiders while still maintainingsecurity over the most important and critical content of the document.This is an automatic process for controlling the content of outgoinge-mail. The document owner releases the important and critical contentby enabling access to it to defined parties at defined times withindefined threat modes.

The present invention, in some implementations, introduces a method andapparatus for encrypting document or extractions with multipleencryption types. The invention can deliver the highest level ofsecurity by using multiple types of encryption (and/or multiple keys)for one line, paragraph or document. Maximum security is deliveredthrough automatic selection of security sensitive items, and encryptingthese extractions with one or more types of encryption. The remainderdata can also be encrypted. Multiple encryption types within onedocument statistically precludes deciphering that document regardless ofthe available computer power. Common encryption methods are vulnerablethrough existing technologies, social engineering methods, carelessness,and workflow habits. Furthermore, simple encryption becomes morevulnerable (including triple DES) assuming future mathematicalbreakthroughs or quantum computing. Existing methods to crack blockciphers are being improved to compromise the future AES Rinjdaelstandard.

The present invention also enables the user to configure the system tointroduce a method and apparatus for content dispersion. The innovationenables control over specific important and critical content itemswithin the general contents of documents or digital files in a computeror within a network. The immediate controlled-release of those importantcontent items according to specific identification and access criteriaproactively safeguards the security and the value of documents ordigital files. The content control enables broad dissemination of thedigital files in closed networks, as well as open networks including theInternet, without compromising the security of the important andcritical information in the digital file. The dispersal channels caninclude any of all of the following: networks, Internet, Virtual PrivateChannel. Telephone lines, Optical lines, Wireless, Fax, Documents,Verbal communication.

The present invention, when configured in an appropriate manner,introduces a method and apparatus for enhancing the survivabilitycapabilities of an organization and its networks. If networks getdamaged, the decryption capability, such as PKI, is likely to becompromised, or at a minimum, suspended. In such instances, theinvention enables continuation of work on channels, which need not besecure. In addition, the dispersion of information guarantees maximumpartial reconstitution to documents and transactions, or totalreconstitution to documents and transactions benefiting from backup atdistributed storage facilities.

The present invention, in the appropriate environment, introduces amethod and apparatus for delivering security for inter-connectingnetworks. It enables security for closed networks connecting to theInternet and other open networks. The Internet infrastructure and opennetworks are not secure. Even secured closed networks, such as VPNs, arenot secured enough. The critical content of documents is the criticalasset of the organization and must be highly secured, with maximumreliability, full transparency and instant accessibility. To remaincompetitive, organizations must maximize utility of the critical datawithin their documents, files, databases and servers. The securing ofsuch documents must not be at the expense of compromising the access orprocessing speed of such documents. The invention enables work in plaintext, as well as with encryption. Working in plain text reduces thecomputing performance overload.

Some aspects of the present invention introduce a method and apparatusfor delivering information flow control in decentralized environments.Protection of privacy and confidentiality of information represents along-standing challenge, The challenge has become much bigger with theexpansion of the Internet, which has created decentralized networks.Parties, who do not know or trust each other, have to exchangeinformation. The invention enables free flow and sharing of informationbetween parties by removing burdening security restrictions and creatingtop security with a controlled-release of the security sensitive contentin the documents. The technology enables top security throughintroduction of user and organization's ownership and control of thecritical granular data in documents.

The system, in certain embodiments, introduces an additional layer ofaccess controls at the granular level of the user document. In order toview the reconstructed critical information the user would need to beverified by additional access controls at the data storage level. Theuser access code or a physical key enables release of data from thestorage. Today's access controls do not stop the user from distributingdocuments to other parties. The inventions fined grainedcontrolled-release mechanism releases the critical information, onlyunder a required set of circumstances and access validation. Theinvention enables the user ownership of his security sensitive criticaldata and conditions for its release and dissemination. The user has theoption to hide the critical data through declassification process andrelease through a reclassification process in which the critical datawould be reconstituted in the document.

The present invention, when configured by the user, introduces a methodand apparatus for delivering compartmentalization of security sensitivecontent by leveled access to users. The invention creates leveledsharing of information, for example such that persons with level 3access will have keys for encryption type RSA persons with level access2 will have access to Blowfish encryption within one document.

The present invention, in certain embodiments, introduces a method andapparatus for enabling more use of distributed and dispersed storageincluding ASPs (application service providers). There is a major humantendency to refrain from sending important documents to web storagelocations because of potential security breaches. This cultural issue isboth driven by psychological issues and well-founded security concerns.The retention of those documents as is in physical proximity or lockedsecurity, provides actual security but precludes gaining any utilityfrom those documents in a functional business setting. Instead theinvention enables functional distribution of those documents without thesecurity sensitive data, and a controlled-release of some or all of theextractions in a granular way in order to support business activitieswhile retaining security.

The present invention, in certain configurations, introduces a methodand apparatus for enabling lower storage costs. The extraction processdeclassifies and downgrades mission critical documents. The downgradingand transformation of a critical document into a non-critical document,enables storage in less secured and lower cost storage. Taking advantageof this security-initiated, extraction process can yield substantialstorage cost savings. The invention enables a high return on investmentROI for system storage cost arbitrage. Splitting the data into criticaland non-critical enables 20 to 90% savings on storage cost.

The present invention, in certain circumstances, delivers an automatedsecurity risk management system that creates added in-depth securitydefenses at the semantic-level as well as creation of controlled-releasemechanisms at the storage-level with significantly reduced performanceoverhead requirements.

Certain embodiments of the present invention present a technology whichanswers the security demands as required by Committee on InformationSystems Trustworthiness of the National Research Council. TheCommittee's report, Trust in Cyberspace (1999), defines the securityparadigms needed for a safe future. The report states: The substantialcommercial off-the-shelf (COTS) makeup of a network information systems,the use of extensible components, the expectation of growth byaccretion, and the likely absence of centralized control, trust, orauthority demand a new approach to security: risk mitigation rather thanrisk avoidance; technologies to hinder attacks, rather than prevent themoutright; add-on technologies and defense in depth; relocation ofvulnerabilities rather than their elimination; none of the existing orsecurity technologies addresses these needs in whole. The inventionbreakthroughs this barrier by providing a single system which implementseach one of those four elements in a unified way. The invention controlsinformation flow in centralized and decentralized environments, throughcontrolled-release of information within distributed systems.

The present invention can be implemented to enable certain securitymeasures while accommodating the performance needs of a network. Theinvention provides a method and apparatus to ease overhead performanceon congested computer networks. It can adjust the security defensesbased on the performance needs of the network. Many security systemsoverburden the already burdened computing environment in terms ofcomputational overhead, labor, and training requirements. The inventionenables to ease the overhead performance of a network by transformingfrom high overhead performance, encryption methods, and other securitymethods, to the method presented by this invention.

Certain aspects of the present invention minimize the time of exposureof the important content within a document. The invention enables toseparate the important content from the rest of the document forsubstantial periods of time, thereby minimizing substantially theexposure to risk. It is possible for example to extract the importantcontent from the document and release it for reconstitution only whenthe user will open the document. In such situations the importantcontent could for example be time and unexposed for over 99% of the timeand exposed for less than 1% of the time, which lowers the risksubstantially.

Further, embodiments of the present invention provide a security riskmanagement method and system to minimize security risks. The inventionenables minimization of security risks by: Automatic separation andextraction of granular critical data from the core document. Dispersalof the extracted critical data groups to different secured storagelocations. Reconstitution of the critical data in document for limitedtime, to minimize exposure to risk. Partial reconstitution, of thecritical data, in core document, through a controlled release ofgranular critical data. Granular controlled release of data to specificauthorized people only.

The present invention, in certain configurations, provides a controlledrelease security mechanism to enable the release of content and granularcontent from storage locations in a centralized and decentralizedenvironment. The controlled release mechanism enables release of theappropriate content to the authorized party at the right time under theright circumstances.

The present invention sometimes provides a security solution againstdamage by insiders. Studies show that insiders cause 70%-85% of thedamage. These nine innovations are described in detail as follows: Theinvention enables insiders and employees to work with documents whilemanagers and owners control the release of the critical prioritizedinformation. The control is granular, thereby enabling continued workwith the rest of the content in the document. The objective is toempower the user with the highest security while enabling him maximumsharing and delivery flexibility. This enables free flow of informationbetween closed networks and public networks, such as the Internet,without compromising the security through extraction of important andcritical content. The user can transport documents through variousnetworks and e-mail services knowing that the critical information,which is still under control, and is not compromised.

The present invention can be configured to provide an automatic securitysystem in order to overcome human flaws that create securityvulnerabilities. Human engineering flaws are the cause of 90% ofsecurity vulnerabilities. For example, passwords are exposed throughhuman fault enabling reading of plain text before it is encrypted. Theinvention enables an automatic process of appropriate response tosecurity threats in an objective way and on an on going basis.

Certain aspects of the present invention provide an automatic securitysystem in order to reduce human labor, and training costs.

The present invention provides, in one or more embodiments, protectionfor important granular content within a document. A feature left out incomputer development is the protection and automatic protection ofgranular important content in a document. In every facet of lifecritical assets are immediately protected. For example, credit cards andcash are protected in a wallet, important items at home are placed inclosets, wall units, cabinets and safes. The present system extracts thedigital equivalent of these items, e.g., extracts all credit card data,and stores the extracted data in secure location(s).

In general, the present invention provides an alternative method toencryption. Mathematical security and encryption could be broken.Discovery of a mathematical equation for a shortcut of the factoring ofprime numbers would be make mathematical security and encryptionextremely vulnerable.

In 1999 a 512-bit RSA key was broken—at that time 95% of keys ine-commerce were 512 bits long. U.S. government 56-bit Data EncryptionStandard was cracked in just 22 hours by the Freedom Foundation. 100,000PCs were connected with a supercomputer which enabled the testing of 245billion keys per second.

The invention, in a larger sense, provides an automated security riskmanagement system. The system automatically responds to attacks bymatching the defenses level to the level of threats. The system respondsto security threats through the following mechanisms: (1) controlledextraction of sensitive security data: in normal circumstances,extractions will take place according to pre-set rules; in threatsituations, additional extractions will take place to deliver highersecurity; in an attack, additional substantial amounts of critical datawill be extracted to deliver the highest security; (2) controlleddispersal to storage locations; in normal circumstances, dispersal todifferent storage locations according to pre-set rules will take place;in threat and attack situations, more dispersal to more storagelocations, via additional communication channels will take place; and(3) controlled release of extracts for reconstitution; controllingamount of extracts released for reconstitution; controlling time ofexposure of extracts in reconstitution; limiting access to specificpeople; and limiting access to specific times.

The present invention also defends, in certain embodiments, againstdevices like keyboard sniffers and mouse sniffers that can readinformation keyed into the computer and transmit it to an adversary. Theinvention enables to input security sensitive items through data inputdevices other than the keyboard. For example credit card numbers can beinputted through a hand held wireless devise. The inputted data would betransferred to storage for possible reconstitution.

The present invention can also be configured to defend against devicesthat intercept electromagnetic signals from computers, monitors,printers, and keyboards. For example the Van Eck receptors which canread information off the screen the display screen. The inventionenables separation contents of document into two or more displaysthereby limiting the potential damage of electromagnetic eavesdropping.

The present invention, in many embodiments, enables the controlledrelease of data objects, full or partial release of plaintext sourcedocuments to persons or organizations with the appropriate securityclearances.

Another object of the present invention is to enable the control ofinformation flow over a PC, a network, a LAN, a WAN and over theInternet.

A further object of the present invention is to enable theinteroperability of several secured networks based upon the relativesecurity clearances of each network.

It is another object of the present invention to provide a process forsynthesizing a document.

In one embodiment, the method, program and information processing systemsecures data, and particularly security sensitive words, characters ordata objects in the data, in a computer system with multiple independentlevels of security (MILS). Each level of MILS has a computer sub-networkwith networked workstations. The MILS sub-networks are connectedtogether via security guard computer(s) and each guard computer hasseparate memories for each level (TS, S, C, UC (or remainder)). Themethod extracts the security sensitive words/data (a granular action),from the source document for each MILS level, stores the extracted datain a corresponding extract store for each level and permitsreconstruction/reassembly of the dispersed data via said extracted dataat each said level of said multiple security levels and remainder dataonly in the presence of a predetermined security clearance commensuratewith each MILS level.

In another embodiment, the method, program and information processingsystem involves filtering and securing data (security sensitivewords-characters-data objects) in a source document. The adaptive filteruses a compilation of additional data (typically, but not necessarily,provided via a computer network) and identifies the sensitivewords/objects in the compilation of additional data, retrievescontextual, semiotic and taxonomic words/objects from the additionaldata compilation that are related to the sensitive words/objects. Afilter is compiled with the retrieved data and the filter is used toextract sensitive words/objects and the retrieved data (words/objects)from the source document to obtain extracted data and remainder datatherefrom. The resulting scrubbed document can be pushed or transmittedto others having a need to know or can be dispersed into classifiedmemories unique to each security level. Contextual words related to thesecurity sensitive words/objects are obtained based upon statisticalanalysis of the additional data compilation. Semiotic words related tothe security words are synonyms, antonyms, and pseudonyms, syntacticsrelative to the target words and retrieved words, and pragmaticsrelative to the sensitive words and retrieved words as reflected in thecompilation of additional data. The taxonomic words, characters or dataobjects from the compilation of additional data is based uponcategorization and classification of the sensitive words/objects aslocated and as reflected in the compilation of additional data.

In another embodiment of the invention, the method, program andinformation processing system secures data (security sensitive words,characters or data objects) contained in a data source document with aneditor. In a simple implementation, the security sensitive words/objectsare known and are pre-grouped into subsets corresponding to respectivesecurity levels. The program electronically identifies and displays, insitu in the source document, the sensitive words/objects and uniquelydisplays each subset of sensitive words/objects. Additionally, thesystem conforms the precursor data document (marked by security subset)to predetermined protocols for each security levels by identifying anddisplaying in situ adjunctive words/objects. Upon command, the systeminserts security level tags corresponding to the plurality of securitylevels into the precursor data document at or near the identifiedsecurity sensitive words/objects and adjunctive words/objects. Themarked, precursor document is then processed to extract the identifiedsensitive words/objects and adjunctive words/objects. The stripped orscrubbed data, that is, the extracted data is either separately storedfrom remainder data (UC unclassified data) or partial versions of theextracted data with the remainder data is stored based upon securitylevels unique to each partial version. The process may, upon command,insert placeholders into the remainder data which mark the extracteddata. This process may be automatic. Further, manual additions to themarked sensitive words/objects is permitted.

In a more comprehensive security editor, a method, process and programof securing content data and meta data contained in a document formattedas a document object model (DOM) is provided. The document object modelhas a blueprint and root, branch and leaf components. The editor mapsthe root, branch and leaf components of the source document as binaryfiles populated with content data and meta data representing subsets ofthe document object model blueprint. Security introns and associatedcontent data and meta data are excluded from further processing. Thesecurity introns are previously identified with respect to the DOMblueprint (the blueprint provided by the DOM vendor) based uponpredetermined informational attributes relative to the document objectmodel. Introns are identified by the organization subject to thesecurity clearance. The method/process/program obtains a security safedocument formatted as a safe document object model. Security exons arecopied from the content data and meta data binary files into thesecurity safe document (template) formatted as the safe document objectmodel. Thereafter, the system extracts the security sensitive words,characters or data objects from the copied content data and meta dataand either stores the extracted data separately from remainder data orstores partial versions of the extracted data with the remainder databased upon security levels unique to each partial version.

BRIEF DESCRIPTION OF THE DRAWINGS

Further objects and advantages of the present invention can be found inthe detailed description of the preferred embodiments when taken inconjunction with the accompanying drawings in which:

FIG. 1A diagrammatically illustrates a basic system diagram showingfiltering and storing extracted data and remainder or common data and,in an enhanced embodiment, generating and storing a map.

FIG. 1B diagrammatically illustrates a system diagram showingreconstruction of the data, various security clearances and bothelectronic reconstruction and visual reconstruction.

FIG. 2 diagrammatically illustrates a system showing major components ofa single personal computer (PC) system, a networked system with severalPCs (a LAN or WAN) and the network coupled to a telecommunicationssystem and the Internet and shows the interconnection with a server andmultiple, Internet-connected memory units.

FIG. 3 diagrammatically illustrates a basic flowchart showingreconstruction for various security levels.

FIG. 3A diagrammatically illustrates interleaving distinct data intodifferent memory locations in a video memory.

FIG. 4 diagrammatically illustrates a flowchart showing one embodimentof the principal portions of the data security program.

FIG. 5 diagrammatically illustrates a flowchart showing the basicelements of the reconstruction process for the data security program.

FIG. 6 is a computer network diagram showing various user communities.

FIG. 7a diagrammatically illustrates a flowchart showing the keycomponent steps for the multiple layer security program for thecommunity of users.

FIG. 7b diagrammatically illustrates a multiple level security systemaccessed by users having different security clearances (which alsorepresents a data mining system and operation).

FIG. 8 diagrammatically illustrates a flowchart showing the keycomponents of an adaptive security program adaptable to various levelsof electronic attacks, hacker or hack attacks.

FIG. 9 diagrammatically illustrates a flowchart showing the keycomponents of a multiple encryption program using multiple types ofencryption in one document or data object.

FIG. 10 diagrammatically illustrates a chart showing the key componentsof the parsing, dispersion, multiple storage and reconstruction (undersecurity clearance) of data.

FIGS. 11A and 11B diagrammatically illustrate a flowchart showing thekey components of one embodiment of the e-mail security system (jumppoints 11-A and 11-B link the flow charts).

FIGS. 12A and 12B diagrammatically illustrate a flowchart showing thekey components of one embodiment of the invention implements thesecurity system on a web browser (ump point 12-A links the flow charts).

FIG. 13 diagrammatically shows several revenue systems which may beemployed with the data security systems described herein.

FIG. 14 diagrammatically illustrates a portable computing device (or thecritical parts thereof, see FIG. 2 for further details) associated withthe portable data security locator system and method.

FIG. 15 diagrammatically illustrates a basic flow chart for the portablesecurity system program in accordance with the basic principles of thepresent invention.

FIG. 16 diagrammatically illustrates a MILS or multiple independentlevels of security computer network with three (3) sub-networks atsecurity levels top secret TS, secret S, and unclassified U.

FIG. 17 diagrammatically illustrates a security guard computer useful inthe network of FIG. 16.

FIG. 18 diagrammatically illustrates a workstation useful in the MILSnetwork.

FIG. 19 diagrammatically illustrates a filter program flow chart.

FIG. 20 diagrammatically illustrates a basic security editor program.

FIGS. 21A, 21B, 21C and 21D diagrammatically illustrate screen shotsshowing the operation of the basic editor program.

FIG. 22 diagrammatically illustrates the root, branch and leaf structureof a DOM or document object model.

FIG. 23 diagrammatically illustrates a small portion of the MS Officedocument DOM.

FIG. 24 diagrammatically illustrates a general flow chart for acomprehensive filter operable on a document DOM.

FIG. 25 diagrammatically illustrates a basic application of thecomprehensive DOM editor.

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS

The present invention relates to a data security system, a methodologyof securing data on a personal computer (PC) system, on a computernetwork (LAN or WAN) and over the Internet and computer programs andcomputer modules and an information processing system to accomplish thissecurity system.

It is important to know that the embodiments illustrated herein anddescribed herein below are only examples of the many advantageous usesof the innovative teachings set forth herein. In general, statementsmade in the specification of the present application do not necessarilylimit any of the various claimed inventions. Moreover, some statementsmay apply to some inventive features but not to others. In general,unless otherwise indicated, singular elements may be in the plural andvice versa with no loss of generality. In the drawings, like numeralsrefer to like parts or features throughout the several views.

The present invention could be produced in hardware or software, or in acombination of hardware and software, and these implementations would beknown to one of ordinary skill in the art. The system, or method,according to the inventive principles as disclosed in connection withthe preferred embodiment, may be produced in a single computer systemhaving separate elements or means for performing the individualfunctions or steps described or claimed or one or more elements or meanscombining the performance of any of the functions or steps disclosed orclaimed, or may be arranged in a distributed computer system,interconnected by any suitable means as would be known by one ofordinary skill in the art.

According to the inventive principles as disclosed in connection withthe preferred embodiment, the invention and the inventive principles arenot limited to any particular kind of computer system but may be usedwith any general purpose computer, as would be known to one of ordinaryskill in the art, arranged to perform the functions described and themethod steps described. The operations of such a computer, as describedabove, may be according to a computer program contained on a medium foruse in the operation or control of the computer as would be known to oneof ordinary skill in the art. The computer medium which may be used tohold or contain the computer program product, may be a fixture of thecomputer such as an embedded memory or may be on a transportable mediumsuch as a disk, as would be known to one of ordinary skill in the art.

The invention is not limited to any particular computer program or logicor language, or instruction but may be practiced with any such suitableprogram, logic or language, or instructions as would be known to one ofordinary skill in the art. Without limiting the principles of thedisclosed invention any such computing system can include, inter alia,at least a computer readable medium allowing a computer to read data,instructions, messages or message packets, and other computer readableinformation from the computer readable medium. The computer readablemedium may include non-volatile memory, such as ROM, flash memory,floppy disk, disk drive memory, CD-ROM, and other permanent storage.Additionally, a computer readable medium may include, for example,volatile storage such as RAM, buffers, cache memory, and networkcircuits.

Furthermore, the computer readable medium may include computer readableinformation in a transitory state medium such as a network link and/or anetwork interface, including a wired network or a wireless network, thatallow a computer to read such computer readable information.

In the drawings, and sometimes in the specification, reference is madeto certain abbreviations. The following Abbreviations Table provides acorrespondence between the abbreviations and the item or feature.

Abbreviations Table A-com computer or memory store for common orremainder data ASP application service provider - server on a networkB-ext computer or memory store for extracted data bd board CD-RW compactdisk drive with read/write feature for CD disk comm. communications,typically telecommunications CPU central processing unit doc document drdrive, e.g., computer hard drive D & R dispersion and re-construct orre-assemble DS data storage e encryption ext-data extracted data I/Oinput/output I-com Internet storage for common or remainder data ididentify I-ext Internet storage for extracted data loc location memmemory MLS multilevel security obj object, for example, a data objectpgm program re regarding or relating to recon reconstruct rel releasereq request rev review sec. security SL security level (sometimes S1 forsec. Level 1, S2 is Level 2, etc., also, for example, TS is Top Secret,S is Secret, C is Classified, U is Unclassified)) sys system t timetele-com telecommunications system or network URL Uniform ResourceLocator, x pointer, or other network locator W St computer work station

Basic Operational Theory

FIG. 1A diagrammatically illustrates the basic processes forestablishing a secure storage of information, generally identifiedherein as “data.” “Data,” as used herein, includes any data object,e.g., text, images, icons, moving images, multiple images, datarepresenting sound, video, electronic streams of information, etc. Soundbites, data objects and video images may also be extracted as “data.” Asource document 100 containing data, sometimes referred to as a“plaintext,” is passed through a filter 102. Although it is convenientto discuss and understand the invention herein in connection with aplaintext document, the document 100 is a data object. It is not limitedto an electronic document representing words. The document 100represents a data object that may be, e.g., text, images, icons, movingimages, multiple images, data representing sound, video etc. The term“data object” as used in the claims is broadly defined as any item thatcan be represented in an electronic format such that the electronicformat can be manipulated by a computer as described herein. The dataobject, or as discussed herein, the “plaintext” is sent to a filter.Filter 102, in a most basic sense, separates out common text orremainder data 104 from uncommon text, words, characters, icons or dataobjects. The security sensitive words, characters, icons or data objectsare separated from remainder or common text 104 as extracted text 106.It should be noted that although the word “text” is utilized withrespect to remainder text 104 and extracted text 106, the “text” is adata object and includes words, phrases, paragraphs, single characters,portions of words, characters, whole or partial images, icons, sound orvideo or data objects. In a basic implementation, filter 102 may utilizea dictionary such that words present in the dictionary (common words)are separated from the source plaintext document 100 and placed intoremainder document or common data file 104. The uncommon words(extracted-security sensitive words), not found in the dictionary, wouldbe placed in an extracted text or extracted data file 106. For example,a business may wish to impose a security system on a contract documentsuch that the names of the contracting parties (not found in thedictionary) and the street names (not found in the dictionary) would bestored in extracted data text file 106. The common text or remainderdata would be stored in remainder data file 104. In the illustratedembodiment, remainder data file 104 also includes place holders whichenables the extracted data to be easily inserted or set back into theremainder data file.

Input or Initial Processing Considerations

The security sensitive words, characters, icons or data objects may beany word, phrase, letter, character, icon, data object (full orpartial), image or whatever, as pre-defined or as established by theuser. The user may specifically design the filter, begin with adictionary to define common terms, identify any additional securitysensitive words, letters, images, icon, data objects, partial versionsof the foregoing or any other granular aspect of the plaintext. Afterdefining the filter and accepting the data input, the system filters theplaintext and separates extracted data (security sensitive items) fromthe remainder data. The filter may also include elements of artificialintelligence (AI). For example, the user may select one word as asecurity word and the AI filter may automatically select all synonymouswords. The AI filter may enable the user to define a filter in real timeat the entry of data via a keyboard. For example, the user may select tosecure (i.e., extract and store) some proper names and may instruct thefilter to secure names such as Block, Smythe and Cherry. During input ofthe plaintext, the system may detect Smith and ask the user if he or shewants to secure (a) all proper names in a common name dictionarycollection and/or (b) all names with spellings similar to the filterinput data, Block, Smythe and Cherry. As is known in the art, AItypically uses inference engines to define one pathway or to outline acourse of action. The filter or extraction engine discussed herein canbe configured with AI, inference engines, neural network systems orother automatic systems to carry out the functionality described hereinfor the dynamic operation of the security system.

The system and methodology described herein also encompasses parsing theplain text document by bit count, word, word count, page count, linecount, paragraph count and parsing based upon any identifiable documentcharacteristic, capital letters, italics, underline, etc. Algorithms maybe implemented to parse the plain text document. The target of theparsing algorithm (a bit count, word, letter, etc.) is equivalent to the“security word, character or icon, data object” discussed herein. Theparsing occurs with the filtering of the plain text source document 100and the subsequent storage of extracted data apart from remainder data.

Storage

In a basic configuration, the common text or the remainder data isstored in common storage memory 108. This common or remainder data storeis identified as A-com generally referring to a segmented memory in a PCor a computer A in a network (LAN or WAN). It should be understood thatreference to “remainder data” is simply a short-hand representation ofdata that is not extracted or filtered by the system. Accordingly,“remainder data” is simply that data which can be viewed, manipulated orfurther processed by the user inputting or initially processing thedata. Remainder data storage 108 may include a confirm storage signalfunction 111 to send back a confirm storage signal to the data inputdevice generating source plaintext document 100. The extracted data file106 is stored in a different memory computer storage 110 (B-ext). In apreferred embodiment, memory segment 108 (A-com) is at a differentlocation than computer storage memory segment 110 (B-ext). In a PCembodiment, memory A-com is a different memory segment than memoryB-ext. In a networked embodiment, computer storage 108 may be on adifferent computer as compared with computer storage 110. In an Internetembodiment, common text or cleansed text storage is at one web site(which may be one computer) and the extracted, high security data isstored at another web site, buried web page or other Internet-accessiblememory store location. In any event, the remainder text is stored in amemory A-com and the extracted data or high security words, characters,icons or data objects are stored in memory B-ext. After storage of theextracted data in memory 110, a confirmation indicator 113 may begenerated to the client computer or the computer handling sourceplaintext input document 100 (the originating computer system).

As a simple example, the program configured in accordance with thepresent invention, could automatically detect entry of all credit cardnumbers types into a user's computer. The filter is set to detect theunique credit card sequence and data string. Assuming that the user'scomputer is operating a browser and the user is communicating with aserver on the Internet, the user's computer would filter out the creditcard number and send the number to a secure storage site. The securestorage site is owned, operated or leased by a trusted party. Theextracted data, i.e., the credit card data, is stored at the trustedsite. The URL or other identifying data is sent to the vendor from whichthe user wants to purchase goods and services over the Internet. Whenthe vendor seeks to complete the transaction, the vendor sends a requestcode to the secure site, the trusted party at the secure extracted datastorage site debits the user's credit card account (or otherwise debitsthe user's bank account) and sends an approval code to the vendor. Inthis manner, the vendor is never given the user's credit card—the cardnumber is sent to a trusted party automatically by the filter in thesecurity program described herein. The security program may beincorporated in a browser to automatically protect credit card data,personal data (as a method to become anonymous on the Internet), etc.from being deliberately broadcast to others on the Internet or to blockothers from snooping into the user's personal data while the usercommunicates over the Internet.

In a further enhancement of the present invention, the computer or datainput device handling source plaintext document 100 may also record thelocation of A-com 108 and B-ext 110. The location data is called hereina “map.” A memory mapping function is utilized. The map may be stored ina third memory location 112. Memory location map 112 may be a segment ofthe memory of the data input computer originating plaintext 100. The mapmay be encrypted for security reasons.

Extraction and Storage Enhancements

As a further enhancement of the present invention, the user, prior toinitiating the security system, may be given a choice of filtering outall the uncommon words or words not found in the dictionary and addingcertain security sensitive words, characters, icons or data objects tofilter 102. The added words or terms are filtered out with the uncommonwords. Of course, the user may be required to manually input allsecurity words or download the security word filter from the Internet oranother system on the LAN. For security systems having multiple securitylevels, a plurality of filters would be created, each filter associatedwith a different security level. Further, multiple security levels wouldrequire, in addition to remainder text document or data 104, a pluralityof extracted data documents 106. The common or remainder text documentor data 104 would still be stored in remainder computer storage A-com108. However, each extracted data document 106 would be stored in arespective, separate computer memory segment or computer B-ext 110.Separate storage of a plurality of extracted data at multiple, separatelocations in B-ext is one of the many important features of the presentinvention.

The ability of the program to locate security sensitive words orcharacters can be enhanced by using a telephone book, properlydissected, to identify a collection of last names. Cities and towns andstreet names can also be identified in this manner. The compilation oflast names and cities, towns and streets can be used as a list ofcritical, security sensitive words. The filter is represented by thiscompilation of words. Similar techniques may be used to create filtersfor scientific words, or words unique to a certain industry, or country.

In view of increasing levels of security relating to (a) the storagelocation A-com; (b) the transfer of remainder text document 104 tomemory computer storage A-com 108; (c) the storage of map 112 (possiblyencrypted); (d) the creation, storage or transfer of filter 102(possibly encrypted); (e) the storage of extracted data at memorystorage B-ext (whether singular or plural storage sites); and (f) thetransfer of extracted data thereto, the system may include an encryptione feature. The encryption e function 115, 117 and 118 isdiagrammatically illustrated in FIG. 1A.

The program of the present invention can be set to extract critical data(a) when the plaintext or the source document (data object) is created;(b) when the source document or data object is saved; (c) on aperiodicbasis; (d) automatically; (e) per user command; (f) per ascertainable orprogrammable event; and (g) a combination of the foregoing. Timing forstorage of the extracted data is based on these aspects. Reconstructionof the data object or plaintext may be (a) automatic and substantiallytransparent to the user; (b) based upon manual entry of securityclearance data; (c) periodic; or (d) a combination of the foregoingdependent upon outside events and who is the author of the data objector other definable aspects of the data object, its environment oforigination, current and anticipated security threats and itsenvironment of proposed reconstruction. The timing for the extraction,storage and reconstruction is oftentimes dependent upon the level ofsecurity required by the user and/or his or her organization.

The system and method creates a high level of security by automaticselection and removal of critical and prioritized contents from a dataobjects stream, whether it be a digital document, digital file,database, sound bite, video clip, other structured, or streaming dataformats. The system and method enables a controlled release of theextracted data objects, enabling instant display of the instantaneousreturned contents, contingent on verification of user identity, accessrights, time of operation, location of source and or user, destinationof source and or user, and determine threat modes. The system and methoddelivers high security by removal of the selected prioritized contentfrom memories. The copies and traces of the selected extracted contentsare eradicated from the computer memory while the separated extract datastream is transferred to a safe removed storage memory media. Theextract, extracts, and any part thereof, will be return transferred touser display as soon as identity and access rights are validated.

A replacement of the extract (sometimes called a placeholder) can alsobe substituted on-the-fly to provide updated results, misinformation,dis-information, messages, alerts, links (to reports, data mining,search engines, web sites, and hyperlinks understood in the currentart), advertisements, and personalization and customization. Thevalidation can be done instantly by password, challenge questions andanswers, remote verification (phone, video, or personal contact withuser), or by biometrics means.

The extraction of data objects within data streams includes words,structured data objects, characters, numbers, bullet points, footnotes,prices, images, sound segments, video segments, and selected digitaldata packets. The extraction is conducted by separating a source(original) data stream into two or more extracts data streams. Thedifferent data object extractions are separated into groups reflectingpredefined contextual categories and restitution applications (such asto enable customization and personalization for the same or differentusers). The modified source (original) stream typically contains themajority of data objects of the source stream, whereas the extractstreams contains a minority of the data objects which represent selectedand categorized information and information deemed to be of prioritizedimportance.

The extracted categorized data objects are separated into one or morecontiguous data streams. The extracted data stream or streams arescattered to one or more storage memory memories. The extracted data canbe transported and shuttled between different storage or projectionapparatus, as directed automatically by various constraints including:security risk criteria of threats and attacks, sources, targets, users,policies, time of day, and threat modes.

The extracted data, in some cases, is transported to an online removablestorage and under extreme security threats to an off-line/off-network,digital or physical vaulted storage. Transport and shuttle is based onthe level of security alert. The use and release of the vaultedextractions is controlled by a set of rules or organizational policywhich includes the following options among others: (a) A vaulting ofsome, all, or specific data object extracts for long or short periods oftime. (b) Release of extractions into a display, in which the extracteddata objects will reconstitute with the modified original data stream,the original data objects stream or original document. (c) Release ofextractions into a projection display in order to project with themodified data stream, the original document while maintaining completeseparation of the modified source data stream (the source modified bythe extraction of data objects and insertion of placeholders) and theextracted data object streams. (d) Release of extractions into aprojection display in order to project a reconstitution of the originaldocument, in other words to create altered versions of the originaldocument, while maintaining complete separation of the modified datastream and the extracted streams. (e) In situations of high securitythreats, release of extractions into another projection display, PDA,floppy disk, paper document a wireless display, an overlay transparencywhile maintaining logical and physical separation of delivery streams.This will enable working with a representation of the initial source,but not the initial source itself, while understanding the prevalent,critical extracted information without comprising security to theinitial source material by exposing sensitive, identifying, or criticalinformation. (f) The distribution of sources, modified sources, orextracts to remote and distributed viewing devices. (g) Enable theongoing operation of information delivery and display in defiance ofknown ongoing or unknown security flaws, breaches, or eventscompromising the general state of security. (h) The delivery of distinctand separate data streams, delivered on the same or different channelsand media, each with minimal, limited, or even substantial usefulness inand by itself, that can be overlaid logically or physically toreconstitute the identifying data stream and display. Separate displaydevices can be used to create a composite image or they can be overlaidto physically separate display devices to reconstitute a usefulcomposite display.

The objective is to create security for the single computer or extendednetwork. When an intruder penetrates preexisting firewalls and othersecurity systems, the data object and streams, digital documents, anddigital files which will be valueless and prioritized data objectsrendered unidentifiable, the penetration is valueless because thecritical strategic information has been exported to a vaulted storage.Competitors or hackers, who learn that a computer or network isprotected by the system and method, might decide to attack anothertarget instead. This is comparable to a situation in which a bankrobber, who finds out that the bank vault is empty, will most probablylook for another bank.

The system and method has a menu of different options including theability to extract: (a) All existing databases on the computer ornetwork. (b) All newly loaded, mounted, or integrated data to thecomputer or network. (c) All plug-in memory devices (temporary orpermanent) containing data. (d) All new and imported data to thecomputer or network. (e) All new work and output created by the computeror network. (f) All data being transported in/out of the computer ornetwork including electronic mail. (g) All data being transmitted in/outof the computer or network including electronic mail.

The system and method releases the extracted data streams, subject to acontrolled-release mechanism and process. The release mechanism iscontingent on parameters including; rights to access specific contents,timing criteria, security restrictions, and preset policies. The releaseof the extracted data objects permits restitution of the source datastream in variations of the source that are full, partial, or modifiedrepresentations of that source data stream. The release provides forvarious levels (through user configuration) of separation between themodified source data stream and the extracted data streams. The systemenables the maximum grade of security by means of the option of a visualmerged projection of said different data streams, while maintaining astrict physical and logical separation between the data streams.

Basic Reconstruction

FIG. 1B generally diagrammatically illustrates the major features of areconstruction routine or system. The user, typically at a computerterminal, inputs a reconstruction request 120. The system first executesa security clearance protocol routine 122 in order to determine whetherthe user has the proper security clearance. The security clearance maybe thought of as a security clearance control. If multiple users arepermitted access to the documents and those multiple users havedifferent security clearances, the security clearance protocoldetermines the level of security clearance and, hence, the full orpartial reconstruction of the plaintext. The security code input by theuser is checked against a security code database or list 124. Clearanceis provided in step 126. The location of the map and, hence, thelocation of the remainder data A-com 108 and extraction is provided tothe user's computer in step 128. This may include obtaining a copy ofthe map 130 showing the location of memory segments in (a) the localcomputer; (b) the LAN or WAN; or (c) the Internet storage sites. Thestorage segments are A-com 108 and B-ext 110. The common or remainderdata is downloaded or transferred or made available to the user'scomputer as shown at the output of map location and data step 128.Typically, the extracted or security sensitive data from B-ext isdownloaded. As described hereinafter, the data can be reconstructed as acomplete electronic document in function 130 or may be reconstructedonly as a visual reconstruction in step 132. Visual reconstruction isdiscussed later. Function 130 operates as a compiler to gather theextracted data and remainder data into a single plaintext document. Ifthe data object represents sound or audio signals, reconstruction andplay back may require a speaker output in function block 130. In atelecommunications implementation of the present invention, the inputwould include a microphone or audio detector (supplemental to the inputdevice for document 100), an analog to digital converter (possibly witha voice to digital converter), the filter, extractor, storage facilitiesat least for the extracted data, and at the output of the system, aconverter to audio and an audio announcer. The recipient of the secureddata stream or message would be required to clear a security clearanceand possibly obtain a decoding key prior to listening to the entire,decoded message. The key and the security data is separately downloadedto the recipient's device.

If remainder data in A-com memory 108 and extracted data in B-extcomputer memory 110 is encrypted, the reconstruction process includes adecryption step. Encryptors and decryptors are relatively well known bypersons of ordinary skill in the art. Further, the filter 102 (FIG. 1A)may include some encryption routine operating on the data object(plaintext) during the filtering. A simple encryption may includesubstituting “dummy” text or images for the security words and keeping apointer to an encryption key document mapping the security words withthe dummy words. The filter may be stored or may be destroyed at theoption of the user. Storage of the filter impacts the degree of securityof the entire data system but storage of the same filter enables theuser to reuse the filter at a later time. Encryption of the storedfilter increases the security of the data. Creation and storage of mapin memory 112 also impacts the degree of security of the system.However, if the filter 102 is destroyed and all copies of the map aredestroyed on the user's computer originating plaintext document data100, and the map is stored offsite in a third computer memory location112, this offsite map storage may enhance the degree of security of thedata. The originating computer processing plaintext 100 may be scrubbedto remove all reference and copies of the plaintext, remainder text,extracted data map storage data, etc., i.e., a deletion routine may beemployed on the data input computer.

System Configurations

FIG. 2 diagrammatically illustrates a personal computer or PC computersystem 140, a second PC or computer 142, and a third PC-3. PCs 140, 142and PC-3 are connected together via a network 145 (LAN or WAN) and arealso connected to an input/output device 146 that may be generallydescribed as a router or a server to an outside communications system.The input/output device 146 is connected to a telecommunications system148 which leads to Internet 150. The Internet is a global computernetwork. Internet 150 is coupled to a plurality of servers, one of whichis server 152. Server 152 may be designated as an application serviceprocessor ASP. Internet 150 also includes various computer memorystorage devices such as computer storage I-com 154, computer storageI-ext 156 and computer storage map 158. Computer storage enabling thestore of extracted data includes a security level clearance module 157.Similarly, map computer storage 158 includes security level clearancemodule 159.

As stated earlier, the present data security system can be implementedon a single personal computer 140. In this case, different memorysegments or hard drive 168 may be used for A-com and B-ext. Typically,PCs include a keyboard or data input device 161, a display 163, acentral processing unit CPU 165, a video board 167 having video boardmemory 169, a fixed disc hard drive 168, a RAM 166, and input/outputdevice 164, a removable memory media or floppy drive 162 and a removablecompact disk (CD) read-write (CD-RW) device or drive 160. The system mayinclude other removable disk drives, tape drives, or flash memory units.Internal units CPU 165, video board 167, hard drive 168, RAM 166input/output device 164, floppy drive 162 and CD-ROM device 160 are allcoupled together via an internal bus 171. Bus 171 represents a pluralityof buses as is known to persons of ordinary skill in the art.

One methodology of implementing the present invention utilizes distinctmemory segments which may be designated in one or more of the following:hard drive 168, memory in a removable disk in floppy drive 162, memoryin a removable CD disc in CD-RW device 160, and, to a very limitedextend, RAM 166. In this manner, the user may select, generally at theoutset of the process, that the extracted data memory storage B-ext 110be stored on a floppy (removable memory) via floppy drive 162 or a CDvia CD-RW drive 160. The user can then simply remove the floppy or theCD and carry it with him or her. To reconstruct the data, the operativeprogram, generally discussed above would have access to the floppy orthe CD and particularly the memory location of the data on the floppyand the CD in order to reconstruct the entire plaintext document 100(see FIG. 1A). Alternatively, different portions of hard drive 168 maystore A-com and B-ext. Of course, the computer system may utilize tapedrives and memories or flash card, programmable memory.

In a local area network or wide area network implementation, PC 142includes memory similar to memory units described in PC 140 and a memorysegment may be set aside in PC 142 separate from the common data orremainder data storage typically placed on hard drive 168 in PC 140. Asa further expansion of the present invention, the extracted data (thatis, the high security data), may be stored on computer storage I-extmemory unit 156 via Internet 150, telecommunications system 148 androuter/server 146. In this manner, the common data or remainder data isstored on hard drive 168 and the highly sensitive data is stored offsite in a secured location. Access to that secured location may belimited via security layer 157. If the user implements an encryptionsystem (see encryption e 118 in FIG. 1A), the extracted data is furthersecured by the encryption during the transfer from computer 140 throughnetwork 145, router/server 146, telecommunication system 148, Internet150 and ultimately to computer storage I-ext 156.

The present invention may also be embodied utilizing an ApplicationService Provider on server 152 and in a client-server network.

An implementation of the present invention over Internet 150 most likelyincludes the use of a uniform research locator or URL for map memorycomputer 158, computer storage I-ext 156, computer storage I-com 158 andASP server 152. In a client-server environment, server 152 acts as aserver generally commanding the operation of client computer 140. Ofcourse, persons of ordinary skill in the art recognize that the servermay be located on the local area network 145 rather than beinginterconnected with Internet 150 as shown in FIG. 2. The claims appendedhereto are meant to cover the alternative embodiments.

As an example of a client-server or web-based implementation of thepresent invention, the user at computer 140 may define the filter 102 asdescribed above, and input data (plaintext) via keyboard 161 or loadplaintext data from floppy drive 162 or CD-ROM drive 160 into RAM 166.In any event, whether the plaintext data is input via keyboard 161 orcopied or accessed from floppy drive 162 or CD-RW drive 160, theplaintext data is filtered as discussed above in connection with FIG.1A. Prior to filtering, it would be appropriate for the user at computer140 to identify where the remainder data or common data will be storedand where the extracted or high security data would be stored. A simpleprogram may automatically select the secure store location. The systemis sufficiently flexible to enable the user to select local storage ondifferent memory segments of PC 140 (hard drive 168, floppy drive 162,CD-RW drive 160) or be flexible enough to enable user at computer 140 todesignate off site storage of the high security data (extracted data)and/or the common or remainder data. An automatic store routine may onlyrequire the user to accept or reject to preferred first security level,second security level and higher security level stores. The off sitedata storage process may include activating server 152 and enabling theserver to take over the process directly from user 140. In other words,the user at computer 140 could call up the URL of the server 152, theserver could request certain user information (user name, password), andwould request data from the client computer to establish the filterpursuant to input selected by the user. The client computer may (a)filter the plaintext thereat or (b) send the data to the server forfiltering. The server could store data either locally on computer 140 orremotely at computer memories 154, 156. After storage of the data at anyof these locations, the server 152 may establish a map and store the mapin memory location 158. Of course, remainder data (cleansed, plaint-textdata) and the map may be stored at ASP 152 or client computer 140. Themap, if stored at map storage 158, may be downloaded to the user atcomputer 140. The filter may be stored at computer 140 or may be storedat a secured location on server 152. Alternatively, the map could bedestroyed on user computer 140. The filter could also be destroyed onuser computer 140. Of course, the filter could be stored in a fourthremote location (not shown), different from I-com 154, I-ext 156 and mapcomputer memory 158. Storage of the map and decryption keys is acritical, high security task. Appropriate security measures should beutilized to protect those items. Local removable memory storage on discin floppy drive 162 or disc in CD-RW 160 may be reasonable. All tracesof the map, the filter, the encryption key, the extracted data, andpossibly the remainder data may be scrubbed or deleted from all computermemories (by write-over or disc reformat routines) other than the “com”and “ext” storage sites. Deletion of all URLs, links, x-pointers, etc.is also recommended for high security applications. Deletion systems areknown to persons of ordinary skill in the art. For multiple securitylevels, multiple web site for storage of cleansed plaintext, first,second, third and higher security level extract text is preferable.Where the community of interest has access to the targeted and protecteddata via the Internet, multiple secured storage locations, multiplestores for filters, for encryption keys and for maps locating thesecured stores is provided by multiple storage locations distributedthroughout the Internet.

To reconstruct the document, the user at computer 140 would be requiredto call up the URL of server 152 and input the appropriate securitycode. The server 152 would then call up and download data from variousmemory locations whether they be memory locations on computer 140 ormemory locations I-com 154, I-ext 156 and map memory 158. The systemcompiles the entirety of the plaintext document by gathering thedispersed components thereofor compiles partial reconstructions fordifferent levels of security. By implementing different security levels,the system is dynamic enough such that server 152 can easily locate thevarious extracted data levels based upon various security codesrepresenting different security levels, as those codes are input by theuser at computer 140. Multiple security codes, at the inception andduring the process, may be utilized. The user may be required to inputsecurity codes at multiple times during the reconstruction orcompilation process.

It should be noted that computer storage 154, 156 and 158 may be locatedon the same computer or may be located on different computers spreadthroughout the Internet. If the storage units are different computersspread throughout the Internet, computer storage 154, 156 and 158 wouldeach have their own URL or Uniform Resource Locator. In any event,during reconstruction, the server 152 gathers the information anddownloads the information into RAM 166 of computer 140. This downloadmay include a first download of the common or remainder data from I-com154. At a separate time, which may or may not include a decryptionroutine, the extracted from I-ext 156 is downloaded. Preferably, otherthan inputting initial security codes and any required or desiredintermediate security codes, the system operates automatically withoutfurther input from the operator at client computer 140. The download ofboth data sets may be simultaneous in that the download is not humanlyperceivable. This is especially true if storage in different memorylocations in PC 140 is utilized.

The role of server 152 may be expanded or reduced dependent upon thedesires of the user and the degree of security necessary. For example,server 152 may only enable separate storage of extracted data in I-ext156. In this limited role, server 152 would require the input of aproper security code and clearance prior to identifying and enabling thedownload of extracted data from I-ext 156.

In an expanded mode, server 152 may be involved in filtering the data,extracting the security sensitive words, characters, icons or dataobjects to obtain extracted data and remainder data thereat, separatelystoring the extracted data from the remainder data (extracted data beingplaced in computer memory I-ext 156 and remainder data being stored incommon remainder data memory I-com 154) and then permittingreconstruction via separate or combined downloads of the remainder dataand the extracted data into computer 140.

The innovation is a system and method for automatically or manuallycontrolled selection, extraction, storage, and release of selected andprioritized information. The system extracts selected information fromdata streams, in computers, computer networks communication devices, andnetworks, as well as electronic mail systems. The system and method canreside on a single computer, be distributed across multiple platforms,be distributed across multiple networks, or reside as a remote process(known as a hosted application service process in the state of the art).

Reconstruction Techniques

FIG. 3 diagrammatically illustrates a system diagram for variousreconstruction routines. A complete reconstruction is shown as securitylevel path A. This involves an electronic integration of plaintext instep 202 resulting from the complete electronic reconstruction ofdocument 100. For example, a merge may occur between the extracted dataand the remainder data or common text data. The document is completelycompiled in this process. Placeholders in the remainder document areutilized to locate and insert the extracted data. Most likely, therewill be no process controls imposed on the integrated document as shownin step 204. In other words, if the user at computer 140 has the propersecurity clearance, he or she could download or recreate the entireoriginal source, plaintext document and the user would be entitled toedit the document or change it in any way or copy it and reproduce it.

The second level of security, path B, results in storage of the commonor remainder data in a different memory location on the hard drive 168as compared with the extracted data. This is noted in step 206. Anotherwords, in a simple example, hard drive 168 or RAM 166 would hold a copyof a remainder data document and another copy of the extracted datadocument, that is, two separate documents. Since two documents areavailable in RAM 166 or hard drive 168, these documents are stored indifferent locations in the memory. In step 208, a map showing the memorylocation of the common or remainder document and the extracted datadocument is provided to computer 140. Step 210 commands the processorCPU 165 in computer 140 to interleave the extracted data with the commonor remainder data in the video board memory. In this process, theextracted data would typically have placeholders for the missingremainder data. Otherwise, control codes to locate the extracted datainto the remainder data would be executed by CPU 165 to properly placethe extracted data into the “visual space” of the placeholders in theremainder data document. The extracted data document may haveplaceholder for the remainder data. Some type of register between thetwo image documents may be necessary. The compiler, in this embodiment,gathers the document elements and visually compiles and presents theplaintext to the user.

FIG. 3A diagrammatically shows that video board memory 169 is loadedwith remainder or common data 1 and a different location of the videomemory is loaded with extracted data 1. The next video memory locationis loaded with common data 2 and then a different video memory locationis loaded with extraction data 2. Since the refresh rate of computermonitor 163 is fast, the display 163 will show the common or theremainder data and then show the extracted data such that the user couldnot humanly perceive a difference in the document. However, the usercould not copy the document from display screen 163 (a “screen shot”)since the document is never electronically integrated into a singledocument. There is only a visual presentation of the combined documentby interleaving the extracted data with the common or remainder in thevideo memory 169. Step 212 notes that the user may be limited in his orher ability to process, edit and store the reconstructed and presentedplaintext document.

Security level path C recognizes in step 214 that the data is stored indifferent memory or computer locations. In this situation, two videoboards, video board A and video board B are shown as board 216 and 218.Video board 216 drives display monitor 220. Video board 218 drivesdisplay monitor 222. Display screens 220, 222 are overlaid atop eachother. Video board 216 is fed with common or remainder data from theremainder data store (see I-com store 154 in FIG. 2) and video board 218is fed with the extracted data from the extracted data store, forexample, I-ext store 156. In this manner, as noted in step 224, the useris presented only with a visual presentation or compilation of theplaintext. Since there was physical separation between video monitor 222and video monitor 220, there is no electronic integration at all of theplaintext document. Hence, the ability for the user to do anysignificant editing on the plaintext document is blocked or prohibitedbecause the user only has access to either the data on video board 216or the video board 218.

Security level path D shows that the extracted data may be parsed orfurther separated based on a plurality of security clearances in step226. Step 228 recognizes that the system can repeat process and securityprocess paths A, B and C only with portions of the extracted datapresented to the user based upon the user's security clearance.

General Operation

FIG. 4 diagrammatically illustrates the major components of a flowchartfor the data security program. It should be noted that this flowchartmay be truncated to limit user selection of certain items. The systemwould be pre-set to contain these features. Step 230 initializes thesystem. Step 232 enables the user to designate various levels ofsecurity for the activity which he or she will soon engage. The system,in step 234, enables the user to define the levels of securityparameters. The following Security Table gives some examples of the typeof security that may be available to the user.

Security Table to whom to where when (time of day, day of week, month,floating but predetermined time frame) why (purpose, match purpose toother security parameters or to certain predetermined criteria) how(through what medium (LAN, WAN, Internet, direct dial link), download towhat site or destination) how long (duration) the reconstruction processwill be permitted per each security clearance level how much (differentsecurity levels enable reconstitution of documents and data withdifferent amounts of secure data therein) timing systems may requiresynchronization for a standard clock (i.e., atomic clock)

As an example of a truncated or pre-set program, a client-server systemover the Internet may have URLs designating storage sites and an ASP 152(FIG. 2) controlling storage. In this pre-set system, the user does notselect the sites. The sites may be randomly selected by ASP 152. The ASPmay use artificial intelligence AI to locate secure extract data storagesites. AI or inference machines can ascertain (a) traffic oncommunications channels, (b) storage limit issues, (c) transmissionfailures in the communications links, and (d) the degree of securitynecessitated by exterior events, i.e., terrorism alerts, virus alerts,war, data security warnings posted by trusted sources, MicroSoft,Norton, NASA, DoD, CDC, FBI, etc. Higher security alerts trigger the AIconfigured storage locator and facilitator to locate memory stores inhigher secured places. These higher security facilities may be morecostly, may be located in more stable countries or on more stableservers and may have greater degrees of encryption capabilities.

The user, in step 326 can designate the location of the filter, thecommon storage area for the remainder data, the extraction data storageand potentially multiple data storage areas or segments. The user mayenable an AI filter design. Step 238 permits the user to engage ordisengage encryption and, if engaged, establish the degree of encryptionfor the system. Step 240 enables the user to define the parameters ofthe filter. The user can retrieve a preexisting filter or may define anew filter for each data security session. These filters may consist ofdictionaries or any type of compilation of words, characters, icon, dataobjects or pixel formation or any indication that can be perceived bythe computer system. Granular extraction of data elements in a dataobject may be permitted. Step 242 recognizes that the user either inputsa preexisting plaintext document or types data into the system. In anyevent, the plaintext document is fed through the filter. Step 246extracts the security data from the input document. Step 248 stores theextracted data. The extracted data may be encrypted prior to storage.Step 250 conducts an error check on the extracted data. This error checkis helpful in discerning problems in the storage of the data prior toclosing down the data security system. Step 252 stores the common dataor the remainder data. Step 254 conducts an error check on the common orremainder data. The decision step 256 determines whether the user hasselected a “destroy filter” command. If not, the filter is stored withor without encryption in step 257. If YES, the filter is destroyed witha deletion routine. Typically, deletion is complete erasure of alltraces of the file including, in high security systems multiplewrite-overs or disc reformatting. Step 258 stores a map. The map may bestored locally or remotely as described earlier. The system ends in step260. All traces of these data elements or objects may be swiped clean orremoved from whatever computer system generated the data objects orprocessed them, other than the memory storage locations. Deletion ofdata also includes the concept of deletion of data transmission paths,URLs, storage site locations and all temporary memory stores. Deletionof file location in the root directory of hard drive 168 of computer 140is preferable in high security systems.

FIG. 5 diagrammatically illustrates basic flowchart features for thereconstruction process. Step 302 accepts a request to reconstruct thesecured data. Step 304 queries a local map and the security system orprotocol. In a preferred embodiment the user would have to input severalpasswords, one of them being a local password on computer 140. A localmap which may be accessed only through the password, may simply identifythe URL of server 152. Decision step 306 determines whether the localpassword is acceptable. If not, and error step is indicated in step 307,the attempt to log on to the security system is noted in step 309 (anaudit trail), and the system either branches to repeat step 311 or barsthe user from further activity in step 313.

Returning to decision step 306, if the password is locally acceptable,the YES branch is taken and the system executes step 308 which releasesa reconstruction request to the common storage facility I-com 154 orA-com 108 (FIGS. 2 and 1A-B). The system in step 310 logs the user in,as well as time and date and the data regarding the request. In step312, a download from the common data storage is provided to RAM 166 orhard drive 168.

In step 314, a query is made to obtain the remote map from the remotesecurity system. The decision step 316 indicates that the user againsuccessfully inputs his or her security code. If not, error routine 317is activated, the password failure is noted in step 319 (an audittrial), and the user is given an opportunity to repeat in step 321 or isbarred or prohibited from further activity in step 323. If the user hascorrectly input the security code, the system in step 318 releases thekeys (to decrypt) and the map and releases the reconstruction request tothe remote storage for the extracted data. This could be computerstorage I-ext 156 or computer storage B-ext 110. In step 320, the user'saccess to the extracted data is logged in along with the time and dayand type of data request. In step 322, the system downloads theextracted data into RAM 166 and/or hard drive 168 of computer 140. Instep 324, an error routine is operated on the extracted data in order toinsure that the extracted data properly matches the common or remainderpreviously stored. Decision step 326 determines whether the errorroutine properly generates the correct count or output. If not, thesystem in step 327 indicates an error, in step 329 the system deletesthe common files and the extracted files and the system in step 331 logsin the failed attempt. If the error checking routine on the extracteddata is acceptable, the YES branch is taken from decision step 326 andthe system, in step 328, proceeds to display the plaintext document orto integrate the plaintext document pursuant to the security clearanceinitially input by the user. Step 330 ends this process. The end processmay entail encrypting the data again and swiping clean all traces ofdata objects from the memory stores and computer handling units. Ofcourse, every use of encryption requires decryption of the data prior toreconstruction.

The system may incorporate various types of security systems orroutines.

-   -   pass word    -   pass phrase    -   multiple choice questions and answers    -   initial, intermediate and subsequent security clearance routines    -   biometric security routines (voice, fingerprint, signature, eye        or retina scan)

The reconstruction routines may be interrupted or the security systemautomatically activated or initiated upon the occurrence of externallygenerated triggers or upon certain predetermined conditions orconditional events. Limited extraction, security clearance, release ofdata and reconstruction limits may be imposed. Artificial intelligence(AI) engines, inference engines or neural networks may be implemented tovary the permitted level of reconstruction via the security clearances.In other words, the AI system, as applied to reconstruction, may,relatively independent of the filter and storage processes, increase thenecessary security levels permitted to access and generate full orpartial plaintext recreation.

The display systems 220, 222 in FIG. 3 include CRT monitors, LCDscreens, projection screens and combinations of those systems.

The audit trail to monitor reconstruct and reconstruction attempts mayinclude adding a time/data stamp to the remainder data and/or theextracted data prior to storage and a cross-check to the audit trail logduring the reconstruction process.

Placeholders in the remainder document may be:

-   -   blank spaces    -   data symbols or elements “—” or “xxx”    -   false data    -   clearly erroneous data “ABC Company” or “Baker”    -   chaff or hash marks    -   messages    -   bar code    -   serialization data    -   alerts    -   links to other data objects    -   null set indicators “[ ]”    -   URL or website addresses

It is believed that the present invention is faster, duringreconstruction, than standard encryption techniques, on the order of 100to 1,000 times faster.

Automatic Features

The system and method described herein may operate substantiallyautomatically, that is, without operator intervention, other than thesecurity clearance function. The clearance function does require sometype of operator authentication prior to retrieval of the extracted andremainder data.

The system and the method may operate automatically in that theplaintext or originating data could be identified by a party desiringsecurity. The system could obtain that data from any data input device(hard drive memory, floppy drive memory, flash card memory, personaldata assistant (PDA), or any other type of data input device), filterthe data, separate the extracted text or the remainder text, encrypt (ornot encrypt) the data, separately store the extract and remainder data(all automatically, that is, without operator intervention). Hence, itis not necessary that the system operate with significant operator ormanual intervention. Of course, the system may also operate on aplaintext document or data object that is being created “in real time”by an operator and keyboard, mouse or other type of data input device.Since the present system can be configured to operate in real time, thesystem works on data packets of sensitive text, characters, icons,images or a combination therefor, sound, video, and data objects ingeneral.

The automatic operation of the system and the method can be caused by atriggering event. This triggering event may be a security attack(generating a trigger to start the gathering of plaintext, filtering,extraction and storing) or may be any other type of trigger such as abuilding burglar alarm, door alarm, fire alarm, or virus detectionalgorithm trigger. The event may be a time of day, week or month. It maybe n seconds after the user stops typing on a keyboard. It may be atimed back-up feature.

Multiple Security Levels

Multiple filters may be utilized in the system and in connection withthe method. These multiple filters may be useful in the operation of thesystem with a plurality of security levels. Each filter could filter outdifferent levels of security sensitive items and each bundle or group ofsecurity sensitive items (from each distinct filter) could be stored atdifferent computer storage locations. Multiple filters, multiplesecurity levels and multiple storage areas may also include multipleencryption routines and decryption routines. Encryption and decryptionroutines can be related to the level of security of a particular groupof data.

Multiple maps may also be provided for singular or multiple storage ofextracted data and remainder data. These maps may or may not indicatethe originating point of the data. Maps can be parsed such that anintruder, upon discovery of a single map or map portion, could notlocate the storage locations of all piece of the extracted data andremainder data. Maps may also be encrypted. The map may also be storedat a distinct map store location.

The concept of partial reconstruction also includes the concept that aportion of the plaintext would be reconstructed and the unreconstructedportions of the plaintext could be encrypted or could show blanks orother symbolic indicators. See the placeholder table above.

Partial reconstruction of the plaintext also includes a concept that thesecurity sensitive items or materials may be subject to different typesof encryption. Hence, a single plaintext document may have multiplelevels of security and multiple levels of encryption wherein eachencryption has a different level of security assigned to it.

The present invention can also be configured to provide a computernetwork which transparently establishes and manages the separation ofuser-based communities of interest. The separation is accomplished byextraction pursuant to security levels, dispersion of data into securestorage facilities (memory stores) and reconstruction based upon theassigned security level. A low level security clearance results in onlypartial reconstruction of the plain text or source document. Theseuser-based communities of interest are a plurality of users each havingrespective security clearances. As described above, each successivelyhigher level of security clearance permits the user to see greaterdegrees of reconstructed plain text obtained from the extracted datastored in extract stores and the remainder data from the remainderstores. By integrating encryption (and necessarily decryption),separation of user-based communities of interest are established suchthat the users in a particular community are permitted access to some orall of the plain text data based crypto-graphically separatedcommunities and need to know security levels.

FIG. 6 is an exemplary computer network diagram showing various usercommunities. The telecommunications network 402 is connected to theserver application server provider ASP 452 and to various networks andpersonal computers or PCs. The PCs may be computer work stations.Network A 404 is coupled to telecommunications network 402 via aninput/output unit 406. Network A is coupled to various PCs identified inFIG. 6 as PC-4, PC-5 and PC-6. Of course, Network A could be coupled toother PCs not illustrated in FIG. 6. As described earlier, server 452can facilitate remote or offsite storage of extract data and remainderdata in store 1, store 2 and/or store 3. Further, the map showing thestorage location may be encrypted and stored in any one or more of thesestores. Also as described earlier, the memory in one of the PCs, forexample PC-4, PC-5 could be utilized to store extract data and remainderdata from PC-6 and PC-6 can be configured as the input data computer.Hence, the present system and methodology encompasses the concept oflocal storage and remote storage. On the local level, the storage beginsby storing the extract data at different locations in the hard drive ofthe PC. The next level higher is storing the extract data in removablecomputer media such as floppy disk, removable tape drives, CDs etc.associated with the PC accepting data or associated with a server onNetwork A. The next higher level of extract store is storage of theextract data on a server or other computer in a particular network. IfPC-6 is designated as the input computer, the extract data may be storedon PC-4. Of course, PC-4 could be designated as the server for NetworkA.

PC-7, PC-8 and PC-9 are coupled to telecommunications network 402.Network C 408 and Network B 410 is coupled to communications network402. The lines, one of which is line 409 extending from Network C 408,represent a plurality of computers or workstations coupled to Network C.Line 411 represents a plurality of workstations or computers coupled toNetwork B 410. In an e-mail implementation of one embodiment of thepresent invention, PC-7, PC-8, etc. may represent computerized devicesaccepting e-mail (personal data assistant, pager, cell phone, etc.). Thesender and the e-mail addressee may utilize simple computerized systemsto communicated via e-mail. Further, the network may be anytelecommunications network including wire, cable, cellular, wireless,satellite, IR or RF systems.

FIG. 7a diagrammatically illustrates a flow chart showing the keycomponent steps for the multiple layer security program for thecommunity of users. The “community of interest” system described hereinenables persons and organizations at the same security level to sharedata on a peer to peer level. Further the security system may operateautomatically, with respect to extraction, storage and reconstruction,such that the peer to peer dissemination of data objects is quickly andreadily available to all at the same or higher security levels. Step 420initializes the program. Step 422 enables the user, administrator orsystem operator to designate multiple levels of security, that is,multiple words, characters, icon, data objects, or whatever, for eachsecurity level and further to define encryption for each security level.The designation step 422 also includes identifying the communities ofinterest and the particular security level and security clearance foreach community of interest. One example of various security levels forcommunities is set forth below in the Community Security Level Tablewhich is keyed to the computer network diagram of FIG. 6.

Community Security Level Table Security level Community Group High PC-7;PC-8 Medium high all high group plus Network B Medium all above plusNetwork A Low all with nominal clearance Special set medium PC-7; PC-9;Network B

Further, designation step 422 will include identifying the words,phrases, icons or data objects subject to security concerns and thepotential location of the extract data and, if necessary the remainderdata and the degree of encryption. The following Selection Tableprovides some examples.

Selection Table Level of encryption/storage type or category of word orphrase; input specific word, phrase High, web-based storage dollarvalues, names of streets, countries, “Smith” and 5 words about “Smith,”“avocado” Medium high, remote storage all addresses, all names Mediumnetwork storage all family names, all client names Low, encrypt andseparate all items not in dictionary store in local memory

As an example of various encryption methodologies, the followingEncryption Table is illustrative.

Encryption Table DES, random pad A (“r. pad A”) Huffman, r. pad B CryptoAPI, r. pad 7 Two fish, r. pad C-2 Blowfish RC4 Skipjack Ghost

In FIG. 7a , step 424 executes or enables the security program withmultiple filters, multiple encryption levels and multiple storagelevels. Each one of these filters, encryption levels and storage levelscorrespond to the security level for the various communities ofinterest. Step 425 responds to an inquiry from a user to reconstruct thedocument. Step 426 accesses the user's security clearance and theparticular inquiry. Decision 428 determines whether the inquiring partyis entitled to full or partial access to the source document. If not,the NO branch is taken and the system, in step 429 adds placeholdersubstitutions. Step 429 may be optional. If YES, the system reconstructpursuant to the clearance level in step 430. The following provides anexample of multiple level encryption utilizing placeholder substitution.

Example Multiple Level Encryption

Applicants must be _(——————) zzxx xx _(——————) xxx _(——————) citizensand have a high school diploma or equivalent. They must possess a validsubsubsub driver's license and qualify for top SUBWORD _(——————)clearance.

With this multiple level encryption, substitutions may be utilized“subword” to indicate to the user with a less than superior securitylevel that a certain word, term or phrase has been extracted and storedby he or she is entitled to know that substitute word, term or phrasehas been inserted into the plain text document. Of course, any type ofsubstitution character may be used for the placeholder.

In step 432, the system displays the plain text in a normal format orutilizing a split or bifurcated video memory or utilizing overlaydisplay screen. FIG. 3 and the description of that figure set forthabove describes the normal display in steps 202, 204, the split videomemory display in steps 206, 208, 210 and 212 and the overlay displaysystem in steps 214, 216, 218.

The system, in step 434, monitors and logs the location of the usermaking the inquiry, the type of inquiry, the time, day, date, clearancelevel and access level and logs all modifications to the plain textsource document. One example of the log is set forth below in theSecurity Report Table.

Security Report Table Privacy Scrubber Report source file: path\filenamescrubbed file: path\filename-scrub source file: date, time, sizeprocess: date, time user: name system: name Recovery File (a) storagelocation, type of encryption, random key (b) storage location B . . .(c) store C . . . (d) store D . . .

Step 436 enables the security program and parses and extracts the dataper the security program, filters the data, extracts it and codes itdisperses it and stores it as discussed above. The multiple layersecurity program ends in step 440.

The following Security Level Access Placeholder Table is another exampleof the type of placeholder substitutions that may be available. Theexample in the Security Table Access Placeholder Table may be used inconjunction with step 429.

Security Level Access Placeholder Table

[security level 2] intelligence located [security level 4] 20 miles from[security level 4]. He is using the name [security level 4], and dressedas a [security level 4] preacher. With him are his lieutenants,[security level 4] and [security level 4]. He is communicating with theinternational media through Mr. [security level 4], who resides at[security level 3], [security level 4], [security level 4]. Telephone is[security level 1] and Facsimile is [security level 1].

It should be noted that in order to reconstruct some or all of the plaintext source data, some or all of the subsets of extracted data from theextract stores will be utilized dependent upon the respective securitylevel of the inquiring party or user.

Sharing Data with Different Security Levels Data Mining

The present invention can be configured to overcome obstacles tointelligence sharing and data sharing between parties by enabling theparties to identify granular critical data and control the release thegranular critical electronic data subject to a sharing arrangement withother parties. In some instances, the controlled release process isdesigned to implement an agreed upon plan to share secured data basedupon arms length negotiations between the parties. The invention enablesa party to release specific granular data such as a name, address, ordate without releasing the entire “classified” document. In a commercialcontext, this is akin to data mining in that the inquiring party seekslimited data (not the entire data file, record or document) and iswilling to pay for the “mined” data. As an example of a securityintelligence system, a local police chief may release granular criticaldata about a suspect to a federal agency, when in return the federalauthority will release further intelligence “mined” or obtained for thesecured data storage, about the suspect. The controlled release of datafrom the higher security level party (the FBI) may be an intelligencedocument or a granular part of it (a partial reconstruction provided tothe local police). The rational behind this implementation of theinvention is that there are many obstacles for sharing intelligence andinformation. There are even many more hurdles when it comes to sharingof raw intelligence. The invention creates a leveled playing field inwhich the different parties must share and exchange information in orderto achieve their objectives.

The invention can be configured to resolve the major challenges facinggovernment by enabling sharing of information between its differentorganizations in relationship to fighting terrorism. The invention forexample can enable organizations, connected to the Homeland SecurityDepartment, to search data bases of various other government, state andlocal organizations, eliminating the fear of the “source” organizations,owning or controlling the source or plaintext documents that theirproprietary data or granular critical data is released without theirspecific permission. The invention enables open negotiations between theparties regarding what data to release and for what consideration. Whenseveral organizations are seeking access to a specific document, theinvention and can allow a controlled release of different granular datato different parties for different considerations and benchmarks.

The invention's mechanism of controlled release of the locateddocument/data enables other parties to search their documents withoutthe fear that sensitive information will be released to the searchingparty. This invention is designed to foster sharing of documentationbetween different parties, taking into consideration the need to limitthe access of other parties to the total content of the owner'sdocument.

The invention is a machine and process and its purposes and advantagesmay be as follows: (a) To automatically control selection of dataobjects within a data stream and release them in a controlled methodonly to authorized parties. (b) To automatically separate data objectswithin a data stream into two or more digital data streams according tothe importance and categorization of contents, through extraction andremoval of the prioritized content and its replacement by appropriateplaceholders. (c) To automatically control selected contents in E-mail,and enable its release in a controlled method only to authorizedparties. (d) To enable users to leverage the growth in computer andtelecommunications connectivity and electronic commerce by reducingsecurity risks. (e) To enable users to release documents, digital files,and data streams into closed and opened digital networks with theconfidence that important, identifying, and critical contents in thatdocuments, digital files, and data streams is secure and will be seenonly by authorized parties. (f) To enable real time simultaneouscustomization and personalization of selected contents within a datastream to different parties, allowing instant display of the selectedcontent or part of it based on, and tailored made to the status of theuser or receiving party. (g) To secure the important and criticalcontents of a document or digital file by transporting said contentsinto a separated data stream and removing said data stream to a removedstorage memory, while eradicating any copies, temporary caches, ortraces of the removed extracts on the original computer or machine. (h)To enable instant return transfer to the display or to another displayall or part of extracted content instantly with verification ofauthorized user. (i) To create a projection of the original document,digital file, data objects within a data stream, or variations of itthrough combined projection of the splinted data streams, whilemaintaining separation between the data streams. (j) To create analternative method for security, instead of encryption, which is secure,cost effective, less time-consuming, and flexible. (k) To enableautomatic timed removal of specific content items, automatically ormanually selected from a document, digital file, or data objects withina data stream. (l) To enable an automatic timed reconstruction(reconstitution) of the said document, digital file, or data objectswithin a data stream.

Another object of this invention is as a system and method forautomatically creating customized and personalized versions of adocument, data object, or data stream. In real time, simultaneousversions of the original are created and altered, then disseminatedbased on the status of the different users and their access privileges.The system and method enables content management and control byautomatically locating content items prioritized by importance,transporting them to a secure memory, and releasing them under explicitcontrols or preset rules.

Another object of the invention is as a system and method for control,analysis and management of important and prioritized information withindocuments, files, data object, and data streams. The system and method,enables the processing of all data objects at the time in which they arecreated or imported into the system. The early stage processing, enablesearly stage inventorying of prioritized contents as well as early stagepattern recognition. Extracting critical information, such as creditcard numbers, last names, first names, social security numbers, phonesnumbers, transaction dollar amounts and addresses, enables the systemand method to aggregate data in categories and analyze the data indifferent optional methodologies including pattern recognition.

Another object of the invention is as a system and method forcomprehensive monitoring of various activities including businessactivities in real time. With this level of detail, the system andmethod becomes a management information tool and information/datacommand and control center. The said system and method can include analert system, which in effect creates a real time apparatus for commandand control of the systems activities. In real time, and at any point intime, the user can get a comprehensive view of different activitiesincluding: (a) How many transactions are being processed, their content,their context, identity of the involved parties identity, theirprofiles, and the personnel involved. (b) How much money is beingtransacted. (c) When, in terms of dates, relevant to the transaction.(d) Where, in terms of geographical location, the transactions aretaking place. (e) Where, in terms of geographical location, monies orgoods are being transferred. (f) Which departments in the organizationare involved.

Multilevel Security Through Sanitization with Reconstruction ofSanitized Content

A multilevel security (MLS) technology secures the targeted, filteredcontent with extraction and dispersal to storage, bypassing the use ofclassification labels, in order to achieve stronger security of thesource document or data. During the process of developing securitytechnologies for defending critical infrastructure, it was discoveredthat the business model was too complex and there was a need to redefineand create new systems and methods for doing business. As a result, thepresent invention provides a system and codifies methods and businessprocesses to automatically identify, extract, store critical data (as aninput security system) and permit reconstruction of critical data onlyin the presence of certain security clearances (as the output of thesecurity system).

The invention is a method and process to establish a stronger multilevelsecurity (or MLS) architecture and product, than is currently available.The invention introduces multilevel security through sanitization ofcritical content of a source or plaintext document (or data object) withthe unique ability to reconstruct all or part of the original documentin conformance to the classification level of the user. A user with topclassification may view the entire document, while a user with a lowerlevel classification will view a sanitized document, tailor madeautomatically for his clearance level. The invention secures thetargeted filtered content of a document, file, or data stream, throughextraction and dispersal to storage, bypassing the common use ofclassification labels in order to achieve stronger security. Theinvention enables secure document storage and secure message transfersbetween users and networks with different security classification levelswhile protecting the information on a need to know basis.

Currently multilevel security MLS systems are using multiple PCs foreach user, and using physically separate systems for processing data ateach classification level. The inventive system, in several embodiments,eliminates the need for the use of multiple computers. All the documentsin the user's PC are automatically secured with a granularclassification process generally described above with identification ofspecial security data, extraction from the source document or dataobject, and then separate storage of the security data. The classifiedgranular content is dispersed to different secure, distributed storagelocations. The classification level of a user will determine his rightand ability to access and release the stored critical extracted contentfrom the various storage locations for reconstruction. A user with topclassification will view the entire document, while a user with a lowerlevel classification will view a sanitized document, tailor madeautomatically for his clearance level.

Types of government security levels are: Top Secret (TS); Secret (S);Confidential (C); and Unclassified (UC). Business identifies securitylevels as: Restricted to Management (R, for example, attorney-clientprivilege); Proprietary (P); Sensitive (S); and Public (P). These MLSsecurity levels may be supplemented with “need to know” classificationlabels, organizational limits (Army, Navy, DoD) and time limits. Priorart security systems identified each file with: owner, size, date andtime of creation and security attributes. The Bell Lapadula (BPL)security model uses concepts such as domination of the MLS securitylevel over both a process and the subject (a data object). Some examplesof various processes are read, execute, overwrite, append, write, kill(delete), etc. Some examples of process rules under the BPL model are:NRU—No Read Up (a lower security level cannot read a document at ahigher security level); NWD—No Write Down (a higher level cannot writedown to a lower MLS level).

The invention herein does not use the “classification labels” of theprior art. Instead it creates a situation in which the user gets accessrights to specific distributed storage locations based upon his MLSlevel, each access right can be classified with a differentclassification level. With respect to the editor described later herein,security labels (for example (“e.g.”), TS, S, C and UC labels) are addedor inserted into the filtered but not disassembled document. Asexplained later, the insertion of these SL labels conforms the currentinventive system to the prior art methodology and protocol. However, thecurrent inventive system does not use the SL labels for processingpurposes. The current system uses a granular or filter approach to makesecure the sensitive data in a particular document.

FIG. 7b diagrammatically illustrates a multiple level security systemaccessed by users having different security clearances (which alsorepresents a data mining system and operation). Source data 100 passesthrough security program 200. Critical, important data objects orelements are extracted and dispersed into storage 801. In theillustrated embodiment, storage 801 has four security levels SL1-SL4,level SL4 being the most secure data requiring the highest securityclearance. Between each level is an MLS or multiple level securityguard. The guard (physical or software configured) limits transfer ofdata objects there between. Upon a request or inquiry from user 1, 2 or3, each having a security clearance s1, s2 or s3, respectively, thequery or request for access to data Q1, Q2, or Q3 is sent to securityclearance process 803. The process 803 detects and confirms the user'sclearance level and passes a cleared query to storage 801. Cleared data(an entire document/data object or a portion thereof or simply onesecured data (i.e., a name)), is sent as Data 1, 2 or 3 to clearanceprocess 803. If clearance is still valid, data 1, 2 or 3 is sent to therespective user.

FIG. 7b can be a data mining system in that the user is permitted tomine the “cleared” data from storage 801. Data mining may be a monetarycharge associated with the clearance function in process 803.

In a secured system, the documents in the user's PC may be in“declassified” to his security level 99.9% of the time. The“declassified” or available documents are reconstituted through acontrolled release of the critical data from storage, and re-classifiedonly when the user presents his identification and his classificationlevel is being verified. Reclassification is automatic at the user's PC.The result is that the user's PC or workstation can operate inclassified and unclassified modes. It is unclassified when the documentsare declassified and when the documents are reconstituted the user isworking in a classified mode.

The invention introduces a new paradigm whereby computers that areclassified as secret or top secret, in actuality will contain 99.9% ofthe time declassified documents. This capability strengthenssubstantially the security of such classified systems.

The invention can resolve the major challenges facing government inenabling sharing of information between its different organizations inrelationship to conducting military operations as well as fightingterrorism. The invention for example can enable organizations connectedto the Department of Defense (DOD) or the Homeland Security Departmentto search into data bases of various other government, state and localorganizations, eliminating the fear of the organizations owning thedocuments that their proprietary data or granular critical data would bereleased without their specific permission. The invention's mechanism ofcontrolled release of the located document/data enables other parties tosearch their documents without the fear that sensitive information willbe released to the searching party. This invention is designed to fostersharing of documentation between different parties, taking intoconsideration the need to limit the access of other parties to the totalcontent of the owner's document. The invention enables overcoming theobstacles of existing multiple level security MLS systems by enablingsharing of sensitive data, and granular data between parties in a muchmore flexible way which also enables much greater access to informationnot enabled by the current MLS systems. The invention includes acontrolled release mechanism for release of data in conformance tobenchmarks, which can include submitting of access identification, thegiving of consideration, submitting of other information, etc.

The invention creates better collaboration between users andorganizations based on a better flow of information. It enables betterefficiency enabling easier communication between users and networks withdifferent levels of classification while maintaining the highest levelsof security. The invention enables a much better management of documentsin storage and in transport including e-mail. The invention introducesautomation to the sanitization process and an automatic reconstructionprocess. The automation will avoid human error both intentionally aswell as unintentionally. The automation will enable a substantialreduction in costs, furthermore the ability to create a multilevelsecurity environment in one PC or workstation will save costs ofpurchasing operating and maintaining multiple machines as is the currentpractice.

The challenge of many organizations is in getting mission critical andtime sensitive information speedily to the users who need it. In manycases the needed non-classified or low-level classified information isstored in systems but is not provided to the user who needs it, becausethe information is in documents which are highly classified. Thiscreates situations in which users are unable to access information,which they need to accomplish their tasks, because of a technologicalclassification barrier. This over classification of information resultsin hampering critical tasks and activities, as well as creating systemredundancies inefficiencies. The DoD (Department of Defense) multiplelevel security (MLS) was based upon the Bell-Lapadula (BPL) Model. Manybelieve that the BLP security model is superior to other models. TheBell-Lapadula Model and the existing MLS uses labels to classify usersand subject matter. A professional attacker will use his efforts tochange or damage the labels in-order to compromise the machines securedinformation.

The architecture or the present invention extracts and physicallyseparates data whereby content is being recognized not by labels byautomatically based on the semantic content of the plaintext. In someembodiments of the present invention, labels are added to the granular,filtered document to conform to known organizational protocols. Theselabels are displayed but not used by the system in processing.

In the DoD's MLS, data of multiple security levels are processed andtransferred by the system, which separates the varying security levelsand controls access to the data. In the prior art MLS system, someapplications process only one level of data at a time, (for example,when a user edits a document with a word processing tool, the data inthe document are treated as if they were a single level, theclassification of the document itself). Other applications treatindividual data elements at their actual levels. For example, a wordprocessor enforces paragraph and page MLS classification labels, or anMLS data base brings together data elements of different security levelsto allow an analyst a multilevel view of the information.

The vulnerabilities of MLS: The components in the MLS system contain thedata in their memories and disks, and the data could be compromised ifadequate physical security is not maintained. An attacker who getsaccess to the system might be able to locate the data or its copies.

MLS guards control the flow of information across security boundaries.These MLS guards are known.

One concern with the Bell-Lapadula Model and the existing MLS is the useof labels to classify users and subject matter. A professional attackerwill use all his efforts to change or damage the labels in-order tocompromise the machines secured information. The invention introduces anarchitecture whereby content is being recognized not by labels byautomatically based on the semantic contents of the plain text. Theinvention sanitizes and enables reconstitution upon validauthentication. It is the only architecture and system which enablesboth sanitization and reconstitution according to user's verified accessidentification. The conventional way of classifying documents with highclassification (TS), limits the low level clearance users (C) fromaccessing substantially unclassified information “granular data” whichis in the classified document. Furthermore, the invention enablesmaximum sharing of unclassified information which lies dormant inclassified documents. Top security-secret information is dispersed todistributed storage in many locations. The invention is designed toavoid any one point of failure. The theory behind the architecture isthe creation of substantial lines of defense in depth. The attacker willneed to break through many obstacles before accessing all the disperseddata of the document. Additional levels of security are provided withmulti-type encryption. The system and process introduces the capabilityto encrypt different parts of a document with different types ofencryption. Multi type encryption creates a major barrier to anattacker. Should he wish to break the encryption, he would need manysuper computers. Should the attacker look for implementation mistakes,even if he finds few, he will still not get access to the total plaintext. The inventive system provides flexibility. The system and processdelivers flexibility to accommodate changing circumstances. Bycontrolling the level of the granularity, the user can boost the levelof security according to changing circumstances. For example, if acompetitor becomes a partner the user enables him access to more storagelocations, by changing the matrix.

The system and process integrates the Internet for dispersal and hidingof contents. If a party needs more information it could be releasedgranularly. There is no need to release the whole secret document. Thesystem and process does not use labeling but rather extracts thecritical to storage (bu the system may label sensitive text to conformto known protocols). The system avoids situations, in which, attackersmay manipulate the labels or the labeling system. Furthermore, therelease of information is based on changing circumstances (time,location-GPS, event).

The invention is a machine and process and its purposes and advantagesmay be as follows: (a) To automatically control selection of dataobjects within a data stream and release them in a controlled methodonly to authorized parties. (b) To automatically separate data objectswithin a data stream into two or more digital data streams according tothe importance and categorization of contents, through extraction andremoval of the prioritized content and its replacement by appropriateplaceholders. (c) To automatically control selected contents in E-mail,and enable its release in a controlled method only to authorizedparties. (d) To enable users to leverage the growth in computer andtelecommunications connectivity and electronic commerce by reducingsecurity risks. (e) To enable users to release documents, digital files,and data streams into closed and opened digital networks with theconfidence that important, identifying, and critical contents in thatdocuments, digital files, and data streams is secure and will be seenonly by authorized parties. (f) To enable real time simultaneouscustomization and personalization of selected contents within a datastream to different parties, allowing instant display of the selectedcontent or part of it based on, and tailored made to the status of theuser or receiving party. (g) To secure the important and criticalcontents of a document or digital file by transporting said contentsinto a separated data stream and removing said data stream to a removedstorage memory, while eradicating any copies, temporary caches, ortraces of the removed extracts on the original computer or machine. (h)To enable instant return transfer to the display or to another displayall or part of extracted content instantly with verification ofauthorized user. (i) To create a projection of the original document,digital file, data objects within a data stream, or variations of itthrough combined projection of the splinted data streams, whilemaintaining separation between the data streams. (j) To create analternative method for security, instead of encryption, which is secure,cost effective, less time-consuming, and flexible. (k) To enableautomatic timed removal of specific content items, automatically ormanually selected from a document, digital file, or data objects withina data stream. (l) To enable an automatic timed reconstruction(reconstitution) of the said document, digital file, or data objectswithin a data stream.

The invention differs from the current implementations of multilevelsecurity MLS systems based on the Bell-Lapadula Model, and the prior artuse of labels to classify users and subject matter. A professionalattacker will use all his efforts to change or damage the labelsin-order to compromise the machines secured information. The presentinvention introduces an architecture whereby content is being recognizednot by labels by automatically based on the semantic contents of theplain text. The invention enables overcoming the obstacles of existingmultiple level security systems by enabling sharing of sensitive data,and granular data between parties in a much more flexible way which alsoenables much greater access to information not enabled by the currentMLS systems. The invention includes a controlled release mechanism forrelease of data in conformance to benchmarks, which can includesubmitting of access identification, the giving of consideration,submitting of other information, etc. The invention creates bettercollaboration between users and organizations based on a better flow ofinformation. It enables better efficiency enabling easier communicationbetween users and networks with different levels of classification whilemaintaining the highest levels of security. The invention enables a muchbetter management of documents in storage and in transport includinge-mail. The invention introduces automation to the sanitization processand an automatic reconstruction process. The automation will avoid humanerror both intentionally as well as unintentionally. The automation willenable a substantial reduction in costs, furthermore the ability tocreate a multilevel security environment in one PC or workstation willsave costs of purchasing operating and, maintaining multiple machines asis the current practice.

Adaptive Data Security

The present invention can also be configured as an adaptive securityprogram which adapts and adjusts the security provisions based uponintrusion into a particular network or attempts to electronically attackor hack into that network or successful hack events. Programs areavailable to track electronic attacks or hacking attempts. One of theseprograms is manufactured by Cisco and identified as the Cisco IntrusionDetection System (IDS). The Cisco IDS system can work on a server or onPCs in a network. The Cisco IDS is an electronic intrusion detector, oran electronic attack detector or a hacking monitor. The hack or attackmonitor is software loaded into a designated computer.

The output of the electronic attack or hacking monitor loaded into PC142 (FIG. 2) for example, or loaded into PC-6 acting as a server forNetwork A 404 in FIG. 6, generates a plurality of attack warnings. Theattack warnings progressively and incrementally indicate the severityand degree of intrusion and hacking attacks directed to the computersystem. The following Security Level Table illustrates an example ofvarious responses to increasing levels of attacks. These increasingsecurity responses include engaging the filter and extracting criticaldata and storing it locally; the next level involves storing thecritical data on removable storage media; the next higher level involvesoffsite storage of all security data; the subsequent security alertresults in multiple offsite storage for multiple levels of security orcritical data and the highest level involves offsite storage of bothcommon data (remainder data) and security data. Of course, othercombinations responsive to the hack attack may be provided. Theelectronic attack monitor may use artificial intelligence AI to (a)assess the severity of the attack, (b) plan an appropriate “secure data”response, (c) select the degree of filter, extraction and/or encryption,and (d) locate secure extract data storage sites. AI or inferencemachines can ascertain (a) traffic on communications channels, bothintra and inter network, (b) storage limit issues, (c) transmissionfailures in the communications links, and (d) the degree of securitynecessitated by exterior events, i.e., terrorism alerts, virus alerts,war, data security warnings posted by trusted sources, MicroSoft,Norton, NASA, DoD, CDC, FBI, etc. Higher security alerts trigger the AIsecurity monitor to heighten the security level (or to decrease thatsecurity level in view of a reduction or withdrawal of an electronicattack). Aspects of AI systems, inference engines and neural networksare discussed above in conjunction with the AI configured filter. TheseAI aspects can be utilized with an AI configured security sensor.

Security Level Table Attack (low threat level) Level One engage filterlocal storage - disk drive encrypt map Attack (moderate threat level)Level Two same as Level One but use removable storage media (local)Attack (nominal attack) Level Three Engage higher level filter Off sitestorage, single storage for all security data Attack (moderate attack)Level Four Multiple off site storage, multiple levels of security dataAttack (severe attack) Level Five Off site storage both common data andsecurity data

Hence, the filtering of data is based upon respective ones of theplurality of attack or hack warnings and the extraction of data anddegree of extraction is dependent upon respective ones of the pluralityof attack—hack warnings. Storage of the extracted data and the remainderdata is also based upon the degree of attack which is reflected in theattack—hack warning issued by the monitor.

FIG. 8 diagrammatically illustrates a flow chart showing the keycomponents of the adaptive security program adaptable to various levelsof hacker of electronic attacks. Step 460 senses all intrusions andattempts, that is, electronic attacks, hack attacks or hacking actionson a computer or a computer network. This step is equivalent to theoutput of the attack—hack monitor. Step 462 assesses the current networkperformance, adjusts the storage location for the extract data (thelocation of the extract store), the encryption level (the degree ofencryption) and the storage of the map showing the extract data storage(if necessary) and storage of remainder data, if necessary given theseverity of the attack. For example, during high utilization of thecomputer network (high utilization in a server computer in aserver-client environment), local storage of extracted data may bepreferable as compared with offsite storage of critical data. However,if the attack occurs during non-working hours, the performance of thenetwork is very high, and the security system could utilize all theresources in the computer network to achieve the security goal of safeguarding the data during the attack. System resources include processingresources (for encryption/decryption), bandwidth resources to storeextract data and any other resources that are critical for theutilization of the security system described herein. Decision step 464determines whether a threat or attack as occurred. If not, the systemtakes the NO branch returns to step 460. If YES, the system in step 466assigns an attack level or a hack warning level to the threat or attack.The system in decision step 468, monitors the network during the attack.If the network performance or the computer performance does not change,the YES branch is taken. If the computer performance or networkperformance changes based upon or during the attack, the NO branch istaken and the system returns to step 466 which reassigns an attack levelor a warning level to the next higher or significantly higher warninglevels.

After decision step 468, the system executes step 470 which assigns thesecurity level and implements the security program based upon theattack. It should be noted that the administrator establishes the degreeof security level, the encryption, the extract store and remainder store(if necessary) for various levels of attacks or hack warnings. Thesecurity level assigned to a particular attack warning is implemented instep 470. Decision step 472 determines whether the security program'scommunication path is clear. For offsite storage of extract and/orremainder data, a communication path is important. If the path isblocked or compromised by the attack, the NO branch is taken and thesystem in step 473 reassigns the security level to a next higher levelor a different, safer security level and returns to step 470. If thesecurity and communications path is clear, the YES branch is taken fromdecision step 472 and, in step 474, the system maintains the securityprogram. Decision step 476 determines whether sufficient time has passedfrom the attack. If not, the system loops to step 474. If YES, thesystem executes step 478 which either permits reconstruction of the useroperating the plain text or source document or automaticallyreconstructs those documents that were filtered, parsed, extracted, andsubject to outside storage. The system ends in step 480. To provideadditional security, the attack monitor can be configured to monitorsecurity warnings from trusted parties such as MicroSoft, Norton, NASA,DoD, CDC, FBI, etc. Emails or electronic communications from trustedparties can trigger higher levels of security. The attack monitordescribed above can be configured to accept messages from trustedparties. These messages are equivalent to detecting an electronicattack.

Further, the attack—hack monitor can be configured to monitor and assessother environmental conditions such as fire, power failure, equipmentfailure, unauthorized physical entry into the building, plant, orcomputer room. These exterior threats or events are monitored by theattack monitor since they may quickly develop into an electronic attackon the secured data retained by the computer system. In response tothese exterior events, the attack monitor generates corresponding attackwarnings similar in nature to the hack attack warnings discussed above.

There are various methodologies that may be utilized in the adaptivesystem. The tables that follow set forth these various securitymethodologies.

Standard Automatic Defenses Matrix Mode Normal Threat Attack EncryptionTargeted Full Encryption Multi Type Encryption Encryption ExtractionPlain-text Extraction of Extraction of Multi Type Extraction EncryptedData Encryption Distributed Single Storage Several Storage Many StorageLocations Dispersion Location Locations Display Single displayColor/Dither Multiple Displays Protection

Optional Automatic Defenses Matrix Mode Normal Threat AttackSubstitution of None Partial Many Code Words Substitution of NonePartial Many Misinformation Controlled Full Partial ConditionalRelease-Storage Storage Locations 2 4 10 or more Time for releaseAnytime Working Hours Conditional Authorized Users Many PartialConditional What to Release All Partial Conditional Secret Sharing NoneTwo Users As Configured

Security Meter Module Table Normal Mode Threat Mode Attack ModeENCRYPTION Targeted encryption Full encryption Multi layer encryption(Secret sharing) (Secret sharing) (Secret sharing) EXTRACTION Plain-textextraction Extraction of encrypted Extraction of multi Data encryptionDistributed Storage 1 critical storage few critical storage manycritical storage Controlled Release-Storage Storage # ID Time forrelease Authorized Users What to release Special conditions 2 usersonline 3 or more users Display single display single display multipledisplays Substitution of code words No No No

Normal Work Mode Extraction Storage Level 1 Level 2 Level 3 Level 4 WebOffline Remote Removable Local social security X X credit card X Xincluded X X last name X X number X X telephone X X name X X URL X Xe-mail X X uppercase X X initial capital X X currency X X postal code XX address X X location X X date X X

Threat Mode Extraction Storage Level 1 Level 2 Level 3 Level 4 WebOffline Remote Removable Local social security X X credit card X Xincluded X X last name X X number X X telephone X X name X X URL X Xe-mail X X uppercase X X initial capital X X currency X X postal code XX address X X location X X date X X

Attack Mode Extraction Storage Level 1 Level 2 Level 3 Level 4 WebOffline Remote Removable social security X X credit card X X included XX last name X X number X X telephone X X name X X URL X X e-mail X Xuppercase X X initial capital X X currency X X postal code X X address XX location X X date X X

Another object of the system and method is to enhance the survivabilityof a system, network, or an organization through distribution ofcritical information. The objective is to enable a network ororganization to carry on its critical missions even while under attackedor damaged. Survivability is the ability of a system to execute itsmission and provide critical operational services during and after asuccessful intrusion or damage. Providing critical operational servicesincludes maintaining availability of information and data such as creditcard numbers, names, phone numbers, transaction amounts, shipmentdetails without compromising the security of the information and data.

The invention is designed to enable a network to adapt to ongoing attackand react in a way that permits critical missions to continue. With thecurrent state of the art, when firewalls or other security measures arecompromised, no real obstacles curtail or hinder intruders. The systemand method is very adaptable and flexible to provide additional layersof security, privacy, anonymity, redundancy, and backup through theselection, extraction, storage, transportation, and reconstructionprocesses. The dynamic architecture of the invention enables it toconduct an automatic real time configuration of itsextraction/transport/recovery activities, in response to the challengeof attacks.

The invention's survivability modes enable: (a) Presetting of rules forcomputer or network functioning under attack or alert. (b) An automaticassessment of damage and automatic reaction to enable functionality ofcritical missions.

Multiple Security Features for Data

FIG. 9 diagrammatically illustrates a flowchart showing the keycomponents of a multiple encryption program using multiple types ofencryption in one document or data object. Multiple levels, types ormodes of encryption are utilized in the same document or data object toenable securing data and transparently managing the separation ofuser-based communities of interest based upon crypto-graphicallyseparated, need to know security levels. These security levels areassociated with a plurality of encryption types or with different cipherkeys using the same encryption. An example of a multiple level encrypteddocument is shown above in the Multiple Level Encryption sample.Different levels or modes or types of encryption are listed in theEncryption Table above.

Step 510 in FIG. 9 initializes the system by organizing differentsecurity levels with different encryption types and cipher keys. Also,the program sets filters to create the multiple encryption or MLdocument or data object. Step 512 filters the document or data object.Step 514 encrypts the extracted data for each security level. Thesesteps 510, 512 and 514 utilize many of the routines discussed above inconnection with FIGS. 4 and 7, steps 232, 234, 236, 238, 240, 422 and424. Step 516 recognizes that the secured document or data object may bestored for later use (with associated multiple decryption), published,distributed, or otherwise utilized to achieve the primary purpose of thedocument, i.e., to communicate information or to safely store securitycritical information. Step 518 permits the user, with the propersecurity clearance to retrieve the document or data object. Step 520illustrates that the user must retrieve his or her cipher key to decodeall or a portion of the ML encrypted document or data object. This stepmay be manual which engages the user to into certain codes or may beautomatic such that the user's computer automatically, without operatorinput, decodes all or part of the document or data object. Step 522decrypts the document pursuant to the user's security clearance. Step524 recognizes that the user may review, re-publish, store, comment on,re-encrypt or otherwise deal and handle the full or partially decodeddocument or data object. The program ends or otherwise continues withother programs set forth herein. It should be noted that storage of theextracted data may be included in the flow path of the program in FIG. 9is necessary.

FIG. 10 diagrammatically illustrates a chart showing the key componentsof the parsing, dispersion, multiple storage and reconstruction (undersecurity clearance) of data. Document or data object 100, in functionelement 550, is created or obtained by the input computer device. Thedocument is stored in a normal manner in customary data store 552. Aparsing algorithm function 554 is utilized in parsing step 556. Theparsing algorithm, as stated earlier, targets the plaintext document ordata object 100 and splits, cuts and segments (that is, parses) thedocument by bit count, word, word count, page, line count, paragraphcount, any identifiable document or icon characteristic, or otheridentifiable feature such as capital letters, italics, underline, etc.Hence, the parsed document 100 constitutes at least remainder data anddata which is extracted or parsed or segmented out. A plurality of dataextracts may be obtained. The parsed data (which is both the extractdata and remainder data) is then dispersed into storage facilities datastore DS 1, 2, 3, 4, etc. Preferably, the parsed documents are encryptedas shown by “e” in FIG. 10. In order to facilitate the potentialreconstitution of document 100, a map is stored in a map storage 558.Hence, the dispersement 560 largely spreads out or distributes theparsed document 100 to a plurality of memories in the distributedcomputer system. These memories may be removable memory devices (floppydisc, removable tape drive, CDs) or may be more fixed devices such ashard drives, Internet storage facilities, etc. Preferably, the map isalso encrypted.

Reconstruction step 562 enables a person with the appropriate securityto obtain the map from map storage 558, decode the map, gather thedispersed, parsed segments of document 100 and compile the document.This is noted in function 564.

Since the original document 100 is stored in a customary manner in datastorage 552, the parsed document stored in multiple data storage unitsDS1-DS4 provides a unique backup for document 100. The algorithm canemploy many different mathematical constructions but is, in the currentembodiment, primarily based upon one or more of a bit count, a word, aword count, a page count, a line count, a paragraph count, andidentifiable document characteristic, and identifiable wordcharacteristic, and identifiable icon characteristic and identifiabledata object characteristic, capital letters, italics, and underlinefound in the plaintext document or data object. Further, the parsingalgorithm can generate different security levels wherein parsed segmentsare stored at different storage facilities having various degrees ofsecurity clearance. This establishes a hierarchy of data storage unitsand corresponding degrees of security clearances. The parsing algorithmmay identify unique words or strings of data, i.e., credit card numbers.The hierarchy of security clearances may involve first a password,second a biometric confirmation such as a voice match and a third highlyunique biometric characteristic such as a fingerprint or retinal scan.The parsing system enables a large distribution of data in a securedenvironment. In this manner, if the original data object 100 atcustomary data storage 552 is destroyed, a person with an appropriatesecurity clearance can reconstitute the original data document 100 dueto the secured parsing and dispersal of document 100 through datastorage units DS1-DS4 and map storage 558. The parsing may occur on agranular level. In particular, the parsing may occur on a financialdocument in electronic form.

Financial Document Table

-   -   Startcode; Abel, Robert, NMI; 100567; TRANSFER803; To8900586943;        FROM3897622891; $700.00; endcode

In the Financial Document Table, the start code and end code istypically represented by a digital code unique to the communicationschannel, the name on the account has no middle initial (NMI) and thevarious words “transfer 803” and “to 8900586943” and the words “from”and “$” are represented by predefined numeric or alpha numeric codes.The electronic financial document complies with an established protocol.In any event, financial documents are often times transmitted throughelectronic communications and telecommunications channels. The presentinvention, in one embodiment, enables a higher level of security byparsing the financial document or data stream. Further, a higher levelof security may be employed by extracting identified text or charactersand storing the extracted text as discussed above in connection withFIGS. 1A, 1B and 2.

To some extent, the present system can also be utilized for keymanagement and encryption systems.

In a broad sense, the parsing methodology disclosed herein is not basedupon the separation of critical versus non-critical or classified versusnon-classified security information. The primary focus of the parsingmethodology is (1) automatic transparent parsing of data content intogranular data groups which are thereafter dispersed to different storagelocations in order to maintain a very high level of security with orwithout encryption; (2) dispersal of the segmented data to differentstorage locations each which, potentially, demand additionalidentification or security clearance prior to the release of the storedsegmented data, including, possibly, the creation of a digitalbureaucracy, in order to hinder or circumvent digital attacks on theplaintext document or data object; (3) proposing and implementing asystem wherein the user has a very basic appliance since most of theuser's data is stored both locally (customary data storage 552; FIG. 10)and parsed and stored in a distributed system (DS1-DS4) and wherein animportant asset is the map stored in map location 558; (4) enabling aninstitutional system to parse highly confidential information andextract the same in granular form and disperse the same throughout theInternet or other storage locations with or without encryption withoutcompromising the document's security privacy and integrity.

The process involves parsing the documents or content into granular datagroups and optionally creating small groups of data wherein the datasegments cannot be recognized even to the level of providing 2-4 dataobjects in each file; dispersing the granular data groups into differentstorage locations; creation of a map of dispersal to the differentstorage locations (wherein the map is secured and encrypted and stored);and reconstructing the documents or data content. The reconstructionutilizes the map of dispersed and distributed storage and requires thepresentation of security clearances such as passwords, biometricinformation and/or physical identifiers for access at the storage leveland potentially at all the other data storage sites. The data iscompartmentalized through distributed storage and sometimes requiresseparate security clearance. This need for presenting additionalsecurity clearance at different storage locations (DS1-DS4) creates adigital bureaucratic process which enhances the security level of theentire system. The selection and extraction of data and dispersal ofthat data to select storage locations can be established under differentcriteria. For example, one level of criteria extracts last name, addressand social security numbers. Another criteria extracts every other line,every third word, etc. The parsing algorithm can utilize randomselection or systematic selection as long as the parsing algorithm isdocumented and utilized in reconstruct step 562. The parsing algorithmmay be stored with map and map store 558 or may be stored separately. Anadditional feature, as discussed above, involves utilizing place holdersor adding substitute content to the remainder data of the parseddocument 100. The use of place holders and substitute content may bethought of as an algorithm for the parsing. By using place holders andsubstitute data, private or highly confidential data is masked insuringprivacy, security, and confidentiality. The ability to parse theinformation and/or extract security information is important forfinancial transactions. The transactions which require account numbers(see Financial Document Table above) are useless without the accountnumbers. The security of the account numbers, whether identified andextracted or severely parsed and segmented, stored and reconstitutedunder security clearances, is enhanced by the present system.

To achieve a very high level of security, the system can optionallyincorporate a two-man key system. The system automatically separates theselected data stream into one or more data groups and extracts one ormore of these data groups and disperses them into data storage DS1-DS4.To release the extracted data groups and/or critical content, thereconstruct step 562 may require two persons submitting identificationcredentials or security clearances. This two-man key method is a furtherprotection against identity theft and insider attacks. The two-men keysystem can be implemented on a regular basis or on an emergency basiswhen there is need for a higher level of security.

Financial documents sometimes include substantial amounts of numericaldata such as financial projections, balance sheets, electronic fundstransfer messages, etc. It should be noted that the extraction may bebased upon a particular item such a digit and a nine digit numberrepresenting money or may be parsed automatically based upon someparsing facility. Of course, the financial document may also be viewedas a data stream with delimiters “;” separating fields in the datastream. The parsing algorithm may work on the data in each field as wellas different fields in the entire data stream.

Most storage facility systems require a map in order to reconstruct theoriginal plaintext document 100. The map may be encrypted and mayrequire a secret key sharing scheme for access thereto. Further, the mapmay be a physical map (a printout) or may be stored on a removable datastorage medium, rather than be an electronic representation. In someinstances, a map is not necessary. For example, if the security data orthe parsed or segmented data were automatically stored on a floppy disc,the originator of plaintext document 100 could move the floppy disc fromthe computer system thereby physically safeguarding the security data orthe segmented, parsed data. Without the disc, another person or theoriginator of plaintext document 100 could not reconstitute thedocument. The originator may deliver the floppy disc to another in orderto permit reconstitution. The same is true regarding removable tapes andCD-ROMs.

Advantages of the present parsing system, methodology and program,include the ability to connect to unsecured networks without adverselyaffecting the overall security of the plaintext document 100; lessdependence on existing security system including fire walls; thereduction of the requirement to keep daily updates regardingvulnerabilities of the computer system originating plaintext document100; the security of plaintext document 100 is not dependent upon thenumber of access points into the network or number of users located onthe network originating plaintext document 100; there is no damage tothe parsed and stored backup version of plaintext document 100 if newsecurity systems are installed wrong or misconfigured and there is nodamage if system administrators turn OFF the existing security systemsor improperly install or operate the security systems.

The parsing system can operate as a main security operation or anemergency backup system or as a customary backup system. The plaintextsource document or data object may be preserved with or withoutencryption, or destroyed as a further data security step. The parsingand disbursement of data protects plaintext document 100 and insures thesurvivability of plaintext document 100 if the system originatingplaintext document 100 comes under significant electronic or physicalattack. That is, if customary data storage 552 is destroyedelectronically or physically, the survivability of data in the plaintextdocument 100 is established by the present system. The storage ofgranular data groups most likely would defeat any attempt to view theentire content of plaintext document 100. Only verified user users witha confirmed security clearances or identifications verified atreconstruct step 562 and in data storage sites DS1-DS4 are permitted toreconstruct plaintext document 100. Further, the parsing of the systemcan be triggered based upon an electronic attack, an electronic hack ora physical environmental detection scheme. This system immediatelyprotects of the critical data plaintext document 100 with a transparent,automatic parsing, dispersal and storage system.

It should be noted that various aspects of the methodology and programdescribed above in connection with FIGS. 1A-9 can be incorporated intothe parsing methodology and program in order to enhance or modify thesystem.

Email, Web-Based and Other Types of Applications

FIGS. 11A and 11B diagrammatically illustrate a flowchart showing thekey components of one embodiment of the present invention, that is, ane-mail security system. FIG. 11A is linked to FIG. 11B via jump points11-A and 11-B. The method of securing e-mail data operates on adistributed computer system which at least includes a remote memorydesignated as an extract store. Of course, the extract store maycomprise a plurality of extract stores operative in conjunction with aplurality of security clearance levels. A singular security level isidentified in FIG. 11A. Further, the e-mail may be subject to a parsingalgorithm which, as discussed above, is generally independent of theidentification of security sensitive data. However, with respect to theparsing aspect of the present invention, the original e-mail data issplit into extracted data and remainder data and the extracted data isstored in an extract store. Hence, the parsing algorithm operatesessentially independent of the content whereas the secured e-mailprogram operates based upon content identification. Although FIGS. 11Aand 11B primarily relate to identification of security data, the same istrue regarding the use of securing e-mail data with a parsing algorithm.

The e-mail security system begins with step 602 wherein the system orprogram is turned ON or is activated. Step 603 recognizes that the useroriginating plaintext document 100 (not shown) has set a security filteridentifying one or more security sensitive words, characters or icons.In step 604, the user composes the e-mail representative of plaintextdocument 100. In step 606, the user selects the “send” command in thetypical e-mail program. As is customary, the system in step 608 conductsa spell checking routine prior to sending the e-mail. In step 610, thesystem conducts a security check on the plaintext document or composede-mail generated in step 604. The filter is used in step 604. In step612, security words are highlighted or distinguished in the e-mail priorto the actual sending of the e-mail to the addressee. This step 612 isoptional. In step 614, the user selects the security words for data tobe extracted out. The highlighting step facilitates this selection. Instep 616, the system extracts the security data and, preferably, in step618, the security data is encrypted. Step 618 is optional. In a parsingapplication to secure e-mail, the parsing algorithm operatesautomatically at step 610 thereby eliminating steps 612 and 614. Theextracting step 616 simply represents that the segmented data obtainedfrom the original plaintext e-mail generated at step 604 is separatedfrom remainder data.

After encryption step 618, the e-mail security system generally operatesin one of three manners. Other systems may be formulated based upon thesystems and subsystems discussed herein. In one methodology, a seconde-mail is created (see step 629), in a second methodology the secureddata in encrypted form is attached or appended to the original e-mailcontaining remainder data (step 621) or, in a third methodology, theencrypted security data is simply added to or inserted into the end ofthe remainder data of the e-mail (step 623). The methodology ofgenerating a second e-mail is initially discussed.

A second e-mail having encrypted security data is created in step 620.Further, the system in step 622 adds a hyperlink to the remainder datain the original e-mail created in step 604. The hyperlink presents apointer for the addressee to a secured application service provider orASP. See the discussion of FIG. 2 above. The ASP represents a datastorage facility for the secured e-mail data. In step 624, the remainderdata from the original e-mail is sent to the addressee in a normalmanner. This step also includes the concept that the second e-mailcontaining the encrypted security data is sent to the ASP. In step 626,the addressee receives the remainder e-mail which includes a hyperlinkto the secured data ASP. The system jumps at jump step 11-A from FIG.11-A to FIG. 11-B.

In step 628, the addressee receives the remainder e-mail, visits the ASPvia the hyperlink and clears the security levels at the secured ASP. Instep 630, the secured data ASP obtains a map for each secured datae-mail (since the original e-mail may be broken up into a plurality ofextracted, secured data e-mails) obtains all secured data e-mail anddecrypts the same. In step 632, the secured ASP downloads the secureddata as an e-mail to the addressee. In step 634, the addressee systemcompiles the original plaintext e-mail 100. A reconstruction program maybe necessary to decode the secured data and insert the data into thedocument via the placeholders.

Optionally, the decryption could occur at the recipient's e-mail devicesomewhat prior to the reconstitution of the e-mail plaintext document100 during step 634. This requires the addressee to have the encryptionroutine and the correct key or decrypt code. The e-mail security systemdescribed above may include many of the features discussed earlier inconnection with FIGS. 1-9. For example, both the security data and theremainder e-mail data can be encrypted prior to transmission to theaddressee and the secured data ASP. The encryption may include multiplelevels of encryption and decryption may require multiple levels ofsecurity clearance. The encryption may be mixed in the remainder e-mail.Partial as well as full reconstruction is enabled as discussed above inconnection with FIG. 3.

From the senders or originator's viewpoint, the e-mail facilitydescribed herein facilitates the storage of the extracted data at one ormore secured sites.

Another implementation of the secured e-mail system attaches theencrypted and secured data to the remainder e-mail data as indicated instep 621. E-mail attachments are well known. Alternatively, theencrypted secured data may be embedded or copied in encrypted form atthe end of the remainder data in the original e-mail as indicated instep 623. In either case, in step 625, the e-mail is sent to theaddressee. In step 627, the addressee opens the attachment. In step 629,the system of the recipient decrypts the secured data attachment or theembedded data attachment. In step 631, the recipient's system integratesthe now decrypted secured data with the remainder data. Of course, thisa compilation step. Place holders or other position indicators arecustomarily utilized. Appending the encrypted security data is generallyequivalent to attaching a file to the original e-mail which constitutes,after extraction, the remainder data. Including the encrypted securitydata is adding the security data to the original e-mail at apredetermined location (either the top of the e-mail, the bottom of thee-mail or some predetermined line number).

It should be appreciated that the e-mail security system may workautomatically or may be selected manually by the user. The highlightingor special distinguishing manner for the security words in step 612 isoptional. By highlighting the security words, the user may select ordeselect those words for extraction. At the addressee's side, theaddressee's system may be configured to automatically seek out thesecured data ASP, enter security clearance data, download the securedata and integrate the secure data in the remainder data e-mail. Thepresent invention contemplates automatic as well as manual steps insteps 626, 628, 630, 632 and 634. The hyperlink with the originalremainder e-mail essentially maps the remainder data to the secured dataand the remote storage locations handling the secure data. Multiplesecurity clearances may be required of the recipient or addressee. Thee-mail system can be combined with other features of the security systemdiscussed above such as multiple security data locations, secret keysharing schemes, multiple encryption of the data in a single document,multiple security clearance levels required for a plurality of storagefacilities, the two man key system, automation of key management and aplurality of levels of access to the data such as partial reconstructionin step 634 and full reconstruction.

FIGS. 12A and 12B diagrammatically illustrate a flowchart showing thekey components of one embodiment of the system and the invention whichimplements the security system on a web browser. Jump point 12-A linksFIG. 12A to FIG. 12B. The system, at step 700 is ON. The filtersestablishing either the parsing or the identification of security dataare established in the filter set step 701. In step 702, the user inputsdata into open field of an HTML display page which the user haspreviously downloaded from a web server. In step 704, the user mayselect “secure now” turning ON the system or the system mayautomatically be ON such that the filter is screening all the data inputby the user in the open field. In step 706, the system scans all theopen field data, locates security data and extracts security data. Instep 708, place holders are added to replace the extracted security datain the remainder data and a hyperlink is added to the open fieldremainder data providing a link to the secure data ASP. In step 710, theuser selects the “send button” or any other indicator on the HTML pagetriggering an operation which transmits the open field data (which isnow remainder data) to the web server. In step 712, the web server andparticularly the common gateway interface (CGI) receives the remainderdata fields, identifies the place holders in the data and the hyperlinkto the secure data ASP. In step 714, the web server receiving the datafrom user's browser goes to the secure data ASP, inputs and clears anysecurity level, and obtains the secured data. In step 716, the webserver reconstructs the open field data which generally is representedby plaintext document 100. In step 718, the web server processes thedata as necessary. Many of the features discussed above in connectionwith FIGS. 1A-11A may be implemented on the browser system.

The credit card scrubber or financial data scrubber operates in asimilar manner to the email and browser data security system describedabove. The credit card or financial data scrubber (herein collectively“CC scrubber”) typically operates on a defined sequence of numbers. Forexample, if a credit card number is 17 digits, whenever the email orbrowser security system or program detects 17 sequential numericaldigits (a pre-set filter), a pop-up window may appear enabling the userto select or turn ON the scrubber. If ON, the data security programstrips or parses the credit card number and sends, for example, five ofthe 17 digits to a secure store. Placeholders or substitute charactersmay be inserted into the remainder CC data. To reconstitute the entireCC data, the intended recipient would be required to pass securityclearance levels at the secure store. Of course, the CC scrubber couldbe set to detect bank account numbers, personal or business accountholder names, pre-set passwords, etc. In an OFF state, the CC scrubberwould let pass the CC number, account number or pre-set data stream orstring. The user may select (i) always ON; (ii) pop-up window, select ONor OFF per transaction; (iii) pop-up window to select OFF (default beingON); or (iv) always OFF but minor reminder (audible sound, iconappearance, etc.) of data security risk. The CC scrubber may encrypt theextracted data for security. Other visual ques may rather than a pop-upwindow may be used (for example, a drop down menu). The scrubber canalso be deployed on wireless devices to scrub sensitive data such ascredit card and other financial data.

FIG. 13 diagrammatically shows several revenue systems which may beemployed with the data security systems described herein. Many types ofrevenue systems may be employed in conjunction with the presentinvention. FIG. 13 shows two basic systems, one at the data input stageand the second at the data output or reconstruction phase. Release ofthe reconstructed document or portions thereof are based upon securityclearance and compensation. Within each revenue subsystem are two typesof revenue generators, an advertising revenue generator and a usercharge generator. The user charge system contemplates charging orassessing a fee to the user's employer or organization. Therefore, thesystem operator may select up to four (4) revenue generation systems(ads at the input, charges at the input, ads at the output and chargesat the output). It is well known that vendors selling goods and servicesover the Internet are willing to pay a certain percentage of their salesrevenue to other entities referring customers to the vendor's web sites.The concept of display ads in FIG. 13 includes this revenue stream. Thesystem operator may choose all, one, several or none of these revenuesystems to be deployed in conjunction with the data security systemdescribed earlier herein. Other revenue system may also be utilized. Thesteps in the revenue system described herein may be reorganized toattain higher consumer and user acceptance and/or to maximize therevenue to the system operator.

Decision step 730 determines whether the system is deployed at the datainput phase or not. It is clear that the system operator may utilize thedata reconstruction revenue system and hence the decision step 730 isnot necessary. If the data input system is employed, step 732 displaysthe ad to the user. The user may be uploading a complete document to anapplication server on the Internet or may be using a application serviceprovider on the Internet or an private LAN to secure his or her data.The display ad 732 step enables the user to click on the ad and visitthe vendor, thereby potentially generating a referral fee. See referralfee branch 757. Step 734 requires password clearance. Step 736 processesthe document or data object with the security system. The user may inputthe document real time or input it to the application server or mayupload the complete document to the server. Alternatively, the ad couldbe buried in the email or application program run on the user's computerand the user would be shown an ad and given a link to the vendor'sInternet site. Selecting the link points the user's browser to thevendor's site.

Step 738 shows display ad 2 to the user thereby potentially generatingreferral revenue for the system operator. Step 740 notes that the userexits the revenue system. Step 742 determines whether the system chargesthe user for the security service. If YES, the program processes thecharge in step 745 (charge systems are known). If NO, the system ends orreturns to other programs in step 747.

The NO branch from determination step 730 leads to the receipt of areconstruction request by the user in step 750. Step 752 determineswhether the user will be charged. If YES, the system executes step 745.If NO, the system displays the ad 1 in step 754. Referral generation isnoted by branch 757 from step 754. In step 756, the user's password issubject to clearance. In step 758, the user's request is processed, thedocument or data object is reconstructed (fully or partially asdescribed earlier), and in step 759 the system displays ad 2. In step762, the user's activity is logged in to the system. Step 764 determineswhether the charge to the user is reduced (because he or she viewed theads) and if not, the system ends in step 747, if YES, the systemprocesses the charge in step 745. Alternatively, the user may be showndisplay ads and/or charged for services upon storage of extracted data.Step 750 includes this concept.

Portable Computing Device Environment

The invention can be applied to portable computing devices to securefiles and data objects in such devices. The invention extracts,disperses, via a controlled release of data segments to storagelocations, and permits reconstruction utilizing security protocols toprovide a security system for data based upon the location of theportable device, typically detected by a global position signalgenerator (GPS) or based upon triangulation data from several broadcastpoints. Scrubbing security icons from maps, credit card data orfinancial data from text, a data object or data stream is part of theportable security system.

As used herein, the term “portable computing device” means a laptopcomputer, a PC with a movable feature, such as a PC mounted in a car,plane, truck or trailer, PDAs or personal data assistants, mobile orcellular phones configured with a memory, a processor and some type ofGPS or locator system to determine where the phone or cellular unit islocated within a territory and digital pagers having similar electronicsystems.

The present invention can be linked with a location sensing circuit,such as a global position sensor or system (GPS) or other type oflocation sensing system, such as a system which utilizes triangulatedsignals. The concept is a location based access oriented security suchas an automated trigger (which activates the security program discussedhereinabove when the portable computing device is beyond a predeterminedregion); an automated safety system; a trip wire; an interlock; a methodto disable systems, activity or access to data; and means to limitfunctionality or access in whole or in granular parts. The portablesecurity system operates on text, data objects, images or otherdigitally configured data objects. Security access is limited by alocation way point (in relation to a reference point) or a calculatedrange (using satellite GPS, high altitude services, or earth-based rangefinding GLS (geographic location services)) about a way point withphysical means or mathematical calculations to define a geographic areaby equations or geometric shapes or aggregated ranges (the shapesincluding rectangles, solids, cubes, circles, oval, spherical region orother areas defined by algorithms). Physical and logical access or entrycontrol to weapons, devices, vehicles, computers, equipment, tools,data, networks, local access, remote access beyond a physical location(reference point), can be enabled or disabled with the system of thepresent invention. The regions (sometimes identified as a singlepredetermined region or a plurality of predetermined regions), canconsist of complex definitions of three dimensional areas of arbitraryshape and sizes, as long as those regions can be defined by algorithms.The region can also be defined as an area circumscribed internally by aperimeter or by an area external to that perimeter. In other words,access can be denied if the portable device is within a certain regionas compared with denying access when the device is beyond apredetermined regions. The claims are meant to cover both situations.

FIG. 14 diagrammatically illustrates a portable computing device 810 atlocation B. The portable computing device 810 includes, in theillustrated embodiment, a GPS system (or a receiver system) 812 coupledto a bus 814 and further coupled to memory 816, a processor 818 and aninput/output system 820. Input/output 820 is coupled to, among otherthings, a key board or key pad, a display, and possibly a transmitterand receiver subsystem. As is known, GPS Systems detect satellitepositioning signals and generate an output indicative of the location ofthe GPS system. In the illustrated embodiment, this location is locationB in FIG. 14.

A simple implementation of the present security system provides thatupon detection of d1 from location A, defined by building 822, certainsecurity events occur, e.g., automatic extraction and a denial ofreconstruction rights. In one example, GPS subsystem 812 continuallymonitors the location of portable device 810. When the location ofdevice 810 exceeds a predetermined distance (d1-limit), the programoperating in memory 816, operable by processor 818, either extracts dataand stores the extracted data as discussed in detail above or prohibitsreconstruction of data as requested by the operator of portable device810. Alternatively, automatic extraction may occur without prohibitingreconstruction due to device 810 being located beyond the predeterminedregion d1-limit. The portable computing device 810 in FIG. 14 may havemany other electronic components such as those shown in FIG. 2 inconnection with computer 165. Alternatively, the security system can beconfigured in a reverse manner such that the extraction of securityinformation is triggered when portable 810 is within a predeterminedregion (less than d1-max) close to location A and building 822, that is,the security system disclosed above is triggered to extract informationwhen distance d1 is less than d1-max.

The security system can also be configured such that GPS or locatorsystem 812 detects a variable distance such as distance d2 between truck824 and location B of portable device 810. In this sense, the locationof portable device 810 is obtained by GPS circuit 812 and further sometype of communications must be established between truck 824 at locationC and the portable device 810. For example, the receiver coupled toinput/output 820 receives this information from location of truck 824and location C. This reference location C is then processed inconjunction with the location data from GPS circuit 812 by processor 818and memory 816. The same results as discussed above in conjunction withfixed reference location A can be achieved with a variable referencelocation C. Truck 826 at variable location D enables the system toprovide an additional level of security. In other words, within distanced2 (d2-limit), the operator of portable device 810 may be able toreconstruct information upon request. However, if portable device 810intrudes upon or is less than distance d3 (d3-max) the distance betweenlocation B and location D, the security system may trigger an immediateextraction routine thereby disbursing, on a granular basis, the securedwords, data objects or whatever and further prohibit reconstruction. Ofcourse, the security system could be configured simply to extract theinformation and permit reconstruction. Otherwise, the security systemcould be configured to simply extract information and prohibitreconstruction. In this manner, the security system discussed inconjunction with the portable computing device 810 can have multipletriggers or location established events enabling the security program toextract security information or disabling the security program toprohibit reconstruction based upon a fixed location A or one or morevariable locations C, D.

Another configuration of the present invention utilizes triangulation toobtain location B for the portable computing device 810. In atriangulation situation, the receiver system 812 for the locatorreceives signals from one or more fixed locations, and preferably threelocations diagrammatically illustrated by tower T1, T2 and T3 in FIG.14. The triangulation of signals to obtain location B is known in theart. However, the combination of such location position coupled toextraction of security data and/or reconstruction of security data basedupon certain location parameters is part of the present invention.

For illustration purposes only, the present security system for theportable computing device 810 can remotely store extracted securityinformation. Remote store 828 coupled to receiving tower T1 illustratesthis concept.

FIG. 15 diagrammatically illustrates a basic flow chart for the portablesecurity system program utilized in connection with portable computingdevice 810. Decision step 830 determines whether a certain event hasoccurred. This event may include a power ON for the portable computingdevice, may be a “save document” command, may be a screen ON event ormay be a timed function. For example, if the portable computing device810 is continually ON, the program may periodically poll the locatorcircuit (GPS 812) and determine whether location B is within or beyondthe predetermined regions (d-max or d-limit). Step 832 activates the GPSor the triangulation circuit to obtain current location data. This mayinclude locating variable locations C, D. Step 833 obtains territorylimits for various security levels. As discussed earlier, security levelSL1 is public or non-confidential information, security SL2 confidentialor proprietary information, level SL3 is secret information and levelSL4 is top secret information. This system can be configured such thatvarious territories or predetermined regions correspond to respectiveones of the security levels SL1-SL4.

Decision step 834 determines whether location B of portable computingdevice 810 is within or without the predetermined territory limits orpredetermined region. If YES, the system determines in decision step 836whether the user has initiated a reconstruction request. If not, thesystem returns to a point preceding decision step 830, the detect eventfunction or step. If YES, the system, in step 838, reconstructs thedocument only if location B is beyond a predetermined region. Of course,a negative operation could occur in that reconstruction would beprohibited if location B was within a predetermined region. The claimsappended hereto are meant to cover both within a region and without aregion and independently, extract or permit reconstruction. Step 840secures the reconstructed file again as necessary. The term “beyond”includes both within a region or, if pre-programmed, without a regionbecause the designated region may be “white,” permitting (a) extractionat the transit over the regional boundaries or (b) reconstruction withinthe boundaries, or may be “black” forcing extraction automatically andprohibiting any reconstruction therein. Programmers know that white andblack regions are interchangeable since the command to be executed couldbe a positive or a negative command (e.g, reconstruction permitted(white) vs. reconstruction not permitted (black)).

Returning to decision step 834, if location B is not within thepredetermined regions or territories defined by security levels SL1-SL4,the NO branch is taken and decision step 842 determines whether portablecomputing device 810 has any unsecured files. If YES, the systemexecutes step 844 which is extract and store the security sensitivewords, data objects etc. in accordance with security levels SL2-SL4. Asstated above, the storage could be on media in a local drive or can beremotely distributed to memory segments designated as a remote extractstore. If the NO branch is taken from decision step 842, the systemexecutes decision step 846 which determines whether the user hasrequested a reconstruction of data. If not, the program ends or returnsto the event detection step 830. If YES, the system executes step 848which determines whether a lower security clearance is available withinthe current territory, determines whether the user has the proper passcode to access the reconstruction and process the reconstruction orwhether the system prohibits all reconstruction. Partial reconstructionfor lower security items may be permitted. For example, reconstructionat top secret level SL4 may be prohibited when distance d2 is greaterthan d2-limit but reconstruction at a lower security level such asconfidential level SL2 may be permitted beyond limit d2-limit. In thissense, the present invention can be configured to generate extractionfor various security levels at various predetermined regions based upona fixed reference point or a variable reference point. Alternatively,reconstruction can be permitted or denied based on a plurality ofsecurity levels and a plurality of corresponding regions or distances.The term “mobile predetermined region” is sometimes utilized inconjunction with variable regions d2 and d3.

As an example, the data object retained by portable computing device 810may be a map having security sensitive icons on the map. These icons areextracted if location B is less than a predetermined defined distanced3-limit between variable location D and location B. If location B isbeyond d3-minimum, the map can be viewed by the operator on portabledevice 810. If location B is less than distance d3-minimum, the securityicons are removed from the map. In a similar sense, security sensitivecredit card characters can be extracted from plain text documentscarried on portable computing device 810 when device 810 is a certaindistance beyond d1-limit from fixed reference point A. This location Amay be a bank headquarters. Encrypting and decrypting the data basedupon the geographic event is also contemplated by the present invention.Of course, portable device 810 may be a plurality of portable deviceslinked via a hard wire network or via a wireless network. The samesecurity program disclosed above in herein can be utilized with onecomputer or a series of computers. Further, portable computing device810 can include a plurality of memory segments (see FIG. 3A) and mayinclude a plurality of display screens as discussed above in conjunctionwith FIG. 3. The extraction and storage and reconstruction of streamingdata is possible as is operation on voice data. Additionally, theportable computing device may set off an audible and/or visual alarmprior to extraction of data. For variable territories or predeterminedregions, step 832 or 833 may include gathering information regarding thevariable location of vehicles 824, 826 prior to determining theterritorial limits for various security levels SL2, SL3 and SL4.

Multiple Independent Levels of Security (MILS)

FIGS. 16-18 diagrammatically illustrate a computer system configured asa multiple independent levels of security (MILS) system. Although thegeneral operation and layout of the MILS system is well known, theincorporation of the inventive system, that is, granular filtration,extraction and re-assembly is unique to the inventive system. In thefollowing MILS system 910, the dispersion and retrieval operation of thepresent application is discussed using, as an example, one of the mostcommon environments for protecting classified data, that is, MultipleIndependent Levels of Sensitivity (MILS).

As is known in a MILS configuration, each level (TS-top secret;S-secret, U-unclassified) of classified data is isolated from otherlevels by confining it to set of components dedicated to a singleclassification level. Data labels are not used within the system, sinceits components are Commercial-Off-The-Shelf (COTS) products that are notable to handle data labels. The level of the system TS, S or U (topsecret, secret or unclassified) establishes an implied sensitivitylabel. Data is explicitly labeled only in guards 926, 932 (the Dispersaland Re-assembly guard computers) and other MLS devices that connect theMILS system to systems at other sensitivity levels, that connect the TSsystem to the S system and to the U system. Data transfer between levelsis accomplished manually (sneaker net), or through a few, high assuranceand closely protected MLS devices, such as guards, digital diodes, etc.A user with the authority to access multiple levels of data is requiredto use a separate set of interface equipment to access each MILS system.In some cases, keyboard-video-mouse (KVM) switches are permitted.

FIG. 16 shows an implementation of the present invention in a MILSenvironment. Two similarly configured domains 911, 915 are shown (upperregion consisting of sub-networks 912, 913 and 914 and lower network915), presumably under different administrative control. Each domain hasthree networks, one for each of three classification levels. Eachnetwork includes a plurality of workstations (only one station beingshown in the figure), a Dispersion and Reassembly (D&R) server 926, 932,(a MLS device connected to all networks), and database servers TS, S andU data servers (928, 929 and 930 in the upper domain and 934 in thelower domain) to support the D&R server's proxy document serverfunctionality.

The user interface components of the present invention reside on theuser workstations W St-U (920), W St-S (918) and W St-TS (916).Dispersion and reassembly functionality is hosted in the D&R servers926, 932. Digital signatures (encryption) protects the integrity of userdata between the user interface at 916, 918, 920 and the D&R server 926.Encryption provides a level of discretionary access controls thatprevents disclosure in cases where others have the appropriate clearanceut lack the formal “need to know” level to view the classifiedinformation.

The present example discusses an e-mail and a file server to helpclarify its operation in a MILS environment. The system may beconfigured to handle other documents, images, etc. In the e-mailexample, a Top Secret user 916 will prepare a multi-level message andsend it to a Secret user 922 b, and the recipient 922 b will only beable to read the “Secret Level” and below parts. In the file serverexample, a Top Secret user 916 will prepare a multi-level document andpost it to a file server, then a Secret user 922 b will retrieve it,getting only the Secret and below parts. These are both downgradingexamples. Movement of data within a level and to higher level conformsto existing security rules, for example, Bell-LaPadulla rules.

The path an e-mail message takes from a Top Secret workstation 916 inone domain 911 to a Secret workstation 922 b in the other domain 915. Itwould work similarly if both sender and receiver were in the samedomain; the local D&R server 926 would perform the functions of both D&Rservers 926, 932 in this example. The D&R server 926 hosts an e-mailserver that is customized to perform D&R functions, as described below.

An e-mail originator on a Top Secret workstation 916 composes an e-mailusing MS Outlook.

Originator marks sections of the message with TS, S, and U levels(explained herein), and the system on workstation 916 compartment tagsthe email document using a combination of the automatic featuresdescribed earlier and manual tagging (user based), as allowed by thesecurity policy of the accrediting organization.

Originator 916 digitally signs and sends the message to the mail serveron the D&R system 926.

The Disperser component of the D&R mail server 926 verifies that theoriginator 916, identified by e-mail address and authenticated by thedigital signature key, has the authority to downgrade messages to therequested levels.

The Disperser within Server 926 separates the message according to theoriginator's tags.

The Disperser writes the message sections tagged higher thanUnclassified to the Secret and Top Secret servers 929, 928. Theunclassified part becomes the base message map stored in server 930 andcontains pointers to the higher-level components. The pointers map there-assembly path when the document is fully or partially re-assembled.This base message map is the only step in the process that requiresdowngrading. A guard 926 is used to provide increased assurance that thedowngrading is done correctly (see FIG. 17, guard 936). The originator'sidentity is provided to the guard as part of the downgrade credentials.

The Disperser forwards the base message and message map, to the D&Re-mail server 932 of the addressee, using its Top Secret network path c.Other paths 924 a, b and c link the same security levels in eitherdomain. Using the TS path prevents downgrading if the target server 932is not a D&R server. Alternately, the D&R servers 926, 932 couldauthenticate each other before transferring messages.

The target D&R e-mail server 932 determines the clearance of theaddressee 922 b from its network address and looks up the addressee'scompartment authorization in its own tables. It then removes links fromthe base message and map to all message components that are notdominated by the addressee (as defined by Bell-LaPadula).

The target D&R e-mail server 932 then retrieves the data for theremaining message components from S database server 929 via guard server926, constructs or re-assembles the message that the addressee iscleared to read (secret level, not top secret level), and places themessage in the addressee's inbox 922 b that is at the security level ofthe highest component in the message. These steps are executed for eachaddressee.

The addressees 922 b connect to their local D&R e-mail servers 932 anddownload unread e-mail.

A similar method is used for document serving, such as would be used forfile service, web service, ftp service, etc. The document creators tagtheir documents, sign them digitally, and post them to a D&R file server926, 932, which is actually a proxy using storage in the databaseservers 928, 929, 930, 934, and others not numbered. The server 926, 932disperses the message components to its database servers on the MILSnetworks.

The following describes the path a document takes from its creation (ormodification) in a Top Secret workstation 922 a in one domain 915 to areader on a Secret workstation 918 in another domain 911. The D&R server932 hosts file servers that are customized to perform D&R functions, asdescribed. The document posting process follows:

A document is created on a Top Secret workstation 922 a using MS Word,Excel, etc.

The originator 922 a marks sections of the document with TS, S, and U,and compartment tags using a combination of automatic and manual taggingfeatures, as allowed by the organization's security policy.

Originator at 922 a digitally signs and sends the document to the fileserver on the D&R system 932.

The Disperser component of the D&R file server 932 verifies that theoriginator 922 a, identified by the digital signature, has the authorityto downgrade documents to the requested levels.

The Disperser in server 932 separates the document according to theoriginator's tags, creating a base document at the lowest tagged level(U-Db or S-Db) that contains pointers to the more classified components(TS-Db 934). The base document is encrypted using an algorithmappropriate to its level.

The Disperser writes the document sections to the file servers (U-Db orS-Db or TS-Db 934) according to their tags. This is the only place inthe system where downgrading is performed. A guard 932 is in thedowngrade path to provide additional assurance that data is not leaked.The user identity derived from the originator's 922 a digital signatureon the tagged message will be provided to the guard 932 as part of thedowngrade credentials.

The disperser places references to the document in the directory of eachfile server 932, 926 for which a version of the document can be built(e.g., if there is no unclassified data in the document, a reference tothe document will not be placed in the unclassified directory).

The document retrieval process follows:

A user on a workstation 916 logs onto its local D&R proxy documentserver 926. The strength of user authentication is application specificand determined during system accreditation.

The user 916 locates a document and requests that it be downloaded forreading, specifying a requested sensitivity level and compartment.

The Re-assembler component of the D&R server 926 loads and decrypts thebase document.

The Re-assembler in server 926 verifies that the requestor 916 dominatesthe requested security level and compartment, based on the level of thenetwork over which the request was received and the contents of itscompartment authorization table.

The Re-assembler in server 926 constructs the document to the authorizedsecurity and compartment level.

The Re-assembler provides the document to the requester.

The re-assembly function does not violate Bell-LaPadula and does notrequire downgrade authority.

Server and Workstation Components

FIGS. 17 and 18 diagrammatically illustrate the server and workstation.FIG. 17 shows the D&R Server 926 hosted on a DigitalNet CTS-400 system,which is currently evaluated. It consists of the CTX-400 hardware andthe STOP 6.0 operating system. The disperser part 937 of the D&R server926 has the most security critical functions, since it must move datacontrary to the Bell-LaPadula security policy. It maintains a table ofuser downgrade authorizations 938 keyed by the originator's publicdigital signature key 939 and downgrade authority 941. A guard 936 isalso included, which may employ a version of automated tagging system ofthe present invention to identify sensitive data. The double check ofthe security label tag for each part of the message/document provided bythe guard 936 is particularly important since the downgrade labels areapplied in a single-level system.

The re-assembly side (in re-assembler 942) requires no policy violation,but requires its own table of user compartment authorizations 944because the MILS systems do not have the ability to label data. Thetable 944 is keyed by e-mail address (for e-mail routing) or useridentity 945 from the user authentication process (for file service).Authorized compartments 946 are coupled to email user id 945.

The components of the user workstations are shown in FIG. 18. A MILSworkstation 916 is a single-level component, that is, it is coupled to asingle security level network. The user interface will in some cases beinstalled on existing workstations 916 and in other cases newworkstations procured for this use. The workstations include anoperating system Windows 2000, a graphical user interface Windows GUI,WS Office as a document processor, digital signature system rated at EAL4 and a rated user interface.

Flexibility of the Present Approach

The late-binding techniques or retrieval and reassembly features used inthe present invention is a compelling feature, because it providessolutions to some of the most significant problems of sharing data inmodern warfare and international coalition operations. A singlecomprehensive document can include data sensitive to many differentenvironments, yet by tagging its components correctly, maximally usefulversions can be provided to readers with widely differentauthorizations, and without having to identify them all ahead of time.

For example, in a coalition environment, countries or classes ofcountries, or agencies within countries can be assigned non-hierarchicaland hierarchical labels and then a single document, suitably tagged, canbe securely distributed to all of them using a properly configured andadministrated infrastructure of the present invention.

In the presently configured MILS embodiment, the tagging protocol is, ata minimum, confirmed by the guard in the D&R servers. In prior artsystems, only the guard tags documents. In the presently configuredsystem, the thin client applications program on the workstation tags thedocument segments but the guard confirms this preliminary tagging. Onefeature which seems to be important in certain security systems is thatthe re-assembly map be cleaned or scrubbed to match the then currentsecurity level where the map is stored. This theory, carried forward,would include the concept that the re-assembly map, stored in eachversion of the secured document, only point to the next level storagelocation. Hence, if all portions TS extracts, S extracts, C (classified)extracts and U (remainder) document are dispersed into, for example TS928, S 929, C (not shown) and U 930, then the document in U 930 onlyincludes a pointer to the location of C extracts and the C extracts onlyincludes a pointer to the S extracts and the S extracts includes only apointer to the TS extract location. The downgrade discussed above referstot he location of the higher secured extract.

Multiple Extraction Filters and Application Outline

There is a need to construct filters which supplement the initial listor compilation of security sensitive words, characters, icons and dataobjects (herein “word/objects”). The need arises either due to the factthat the initial security word/object list is incomplete, or that theauthor of the initial list is concerned that the list is too limited orin order to defeat a attack or an inference engine “reverse engineering”the sanitized document and ascertaining not only the filter (a type ofcode) but also the sensitive word/object removed from the sourcedocument. Further, the incorporation of a filter generator enhances thecurrent user friendliness of the program. In its current embodiment, theprogram is configured as an editor to screen and sanitize a sourcedocument. The user selects, at his option, functional aspects whichinclude: compliance with laws (an application of a type of filter, e.g.HIPAA, GLB, Oxley-Sarbanes, EU privacy, executive orders); privacy(another type of filter which excludes, for example, social securitynumbers, see also, EU policy); search for and supplement filter; pay perview (which enables the user to buy missing sensitive information (forcommercial purposes); survival (which creates a distributed anddispersed copy of the user's document and other stored documents anditems using predetermined storage facilities); security (which triggersthe various security routine discussed herein); and storing (whichpermits the user to select which of the several storage options theextracted sensitive data/objects should be employed in the dispersal.

The filter routine diagrammatically illustrated in FIG. 19 is useful incompiling a filter which separates both the sensitive word/objects andcontextual and semiotic and taxonomic aspects of the initial list ofsecurity sensitive word/objects. The filter works in conjunction with acompilation of data, typically located on a network which could beprivate or public. In low level security situations, the filter mayaccess Internet databases to gather additional data for the filter. Inmore secure systems, the filter could access a secure data base (onelocated at the same security level as the user) and build or compile theadditional word/objects. The filter program 950 in FIG. 19 begins withstep 952 which compiles the initial list of security sensitiveword/objects. In 954, the initial list is supplemented withdictionaries, phone books, corporate records (to obtain subsidiary dataand trade names) and thesaurus data. Each of these represent differentcompilations of data and the added data is added to the initial list ofsensitive word/objects. In 956 a search is conducted on a network,usually through a search engine, to gather excerpts near and abut thekeywords. These keywords are the initial sensitive word/objects.Statistical algorithms are applied to gather non-common word/objectswhich are associate with the keywords as found in the additional datacompilations. The goal of the adaptive filter is to obtain contextual,semiotic and taxonomic words, characters or data objects from thecompilation of additional data related to the security sensitive words,characters or data objects. Semiotic is a general philosophical theoryof signs and symbols (read language and words and objects) thatespecially deals with their function. Semiotics include syntactics,semantics and pragmatics. Syntactics is the formal relationship betweensigns. Semantics is the meaning of signs and pragmatics is therelationship between signs and their users, such as the relationship ofsentences to their environment. Taxonomy is the scientificclassification and categorization of items. Therefore as an example, asearch through the Internet on Google search engine under “Bin Laden”may show a number of uncommon (non-dictionary words) within 200 words ofthe target “Bin Laden.” This search string would gather documents formthe Google search and copy 200 words on either side of “Bin Laden” andthen extract only non-dictionary words into a supplemental list. Thistype of filter algorithm looks for contextual matters close or near tothe target. The search is semiotic and statistical in nature.Additionally, the initial supplemental list would identify the Bin Ladenis an arab and this classification (a taxonomic aspect) can be used toexpand the list for the filter. The algorithm may include a simplecommand to gather all 10 words on either side of Bin Laden. This is apure contextual search and the “10 word” aspect is a statistical number.From the supplemental list, all pronouns, prepositions and conjunctionsmay be eliminated. Spiders or robots may be used in the gathering of thecontextual and semiotic filter data. The contextual, semiotic andtaxonomic words, characters or data objects from the compilation ofadditional data is all related to the initial list of security sensitivewords, characters or data objects.

Step 958 compiles the adaptive filter. The above noted contextual,semiotic and taxonomic filter is adaptive since it can be used to expand(and potentially contract or reduce) and adapt an existing list ofsensitive word/objects to a larger list which better protects the sourcedocument and inhibits the operation of an inference engine. Step 959repeats the filter gathering and compilation for various levels ofsecurity. Higher security may require a broader search (1000 uncommonwords near Bin Laden and add all Arabic and sub-Asian continent cities).Orthogonal security groups (those groups having the same level, e.g. SSecret, with each other but being different organizations, e.g,Department of Defense compared to the FBI) often have different methodsto keep data secret between compartments.

The adaptive filter can be set to automatically gather additivesensitive word/objects. The system, with a basic filter, may identify asensitive word in a paragraph being scanned by the initial filter. Thissensitive word may be a special word in the existing filter or may be anon-common word not found in the initial filter. The adaptive filtersystem may then obtain this “unknown” or “special” word, and conduct asearch through a compilation or data base of additional words, etc. Anynew word/objects falling within the contextual, semiotic and taxonomicwords, characters or data objects from the compilation of additionaldata (database) related to said security sensitive words, characters ordata objects are then added to the filter. The expanded filter is thenused to screen the source document.

Step 960 compiles a supplemental filter with random words, phrases, etc.in order to further defeat an inference engine reverse engineeringassault on the secured and sanitized document. In some sense, theproduction and use of a random filter is an encryption technique sincethe resultant filtered product, in order to be understood by others,must be reverse filtered or decrypted to reveal the document at theappropriate security level. Nonsense words may be added to thissupplemental filter. Step 962 applies the primary filter (with thesecurity word/objects and the additive word/objects from the contextualet al. filter) to the source document. Step 964 extracts the sensitiveword/objects per security level. It is noted that several filters areused, on one for each security level, whether hierarchical ororthogonal. The extracted word/objects are stored or th partiallyextracted document per security level is stored in the correspondingsecurity cleared data base or storage. Step 966 applies the supplementalfilter to the remainder or lowest classified document. Step 968 storesthe supplemental random filter to permit the low level user to decryptthe document. Step 970 publishes, distributes or pushes the document toothers having a need to know. The pointer to the location of thesupplemental filter decoder is encrypted and stored in the filteredremainder document. This permits the low level person to decode theremainder document.

The Secure Editor

FIGS. 20-21D diagrammatically illustrate an editor which may be employedto secure sensitive word/objects in a source document. In a currentworking embodiment, the secure editor is a standalone application or amodule to add into other applications for plain text and media creation,editing, and sensitivity level tagging. Other types of tagging, whereinthe editor supplements the initial group or subset of security sensitivewords, characters, icons and data objects by categorization, taxonomyclassification, privacy, security, compliance, and semiotic meaning, arealso available. The editor supports a full range of document managementand can be integrated into a unified infrastructure, from creation,editing, document markup, tagging, tag conversion, tag removal, contextsensitivity level redaction, context reconstitution, and support forcomplex process work flows. The architecture assures separation of datafrom metadata so that no security lapses are introduced into thetraditional word processing and document management cycle.

From the user's standpoint, the Secure Editor is not much different fromother information processors such as vi, Word, Notepad, and otherdesktop tools. However, behind the scenes (that is, automatically andwith nominal operator input (after the editor is initialized)), thisapplication separates the data stream from all markup and taggingword/objects for security purposes.

The interlacing of user content with metadata creates significantprocess, storage, distribution, and workflow security failures that arenot resolved with current technologies. Current technologies includeencryption, firewalls, intrusion detection, perimeter guards, and lockeddistribution packages.

The Secure Editor enables text and media creation. However, alladditions, deletions, changes, insertions, and reorganizations andreordering are tracked as metadata that does not become part of thedocument. The document as seen and shown to the user represents thedeliverable format. Since formatting is metadata, it is not included inthe representation. Formatting, such font sizing, colors, fontselection, footnotes, headers, subscripts, superscripts, line numbering,indexing, and other features characteristic of standard documentpreparation can be supported but are represented only as metadata.Tagging, including sensitivity level, categorization, taxonomyclassification, privacy, security, compliance, and semiotic meaning arealso represented only as metadata. This separation of representationfrom meta-representation is critical for creating the infrastructure forsecure information sharing, privacy, security, and compliance.

The editor is currently set in a WINDOWS environment. Pulldown menusprovide access to formatting and tagging features. The document, fromsource, precursor (marked and tagged but not yet filtered or extracted)and resultant final versions for each security level, as seen andrepresented to the user as is distributed in is resultant final form,thereby assuring security compliance. No hierarchical, hidden,encapsulated, linked, associated, or referential information is part ofthe data stream, file, or storage.

Metadata (such as formatting, such font sizing, colors, font selection,footnotes, headers, subscripts, superscripts, line numbering, indexing,and other features characteristic of standard document preparation) isusually hidden from the user. This supplemental metadata informationcontains all markup, tagging, formatting, and process supportinformation for the editing process and enables immediate granulardistribution of the data stream subject to the needed securitycompliance rules. In other words, the data stream can be automaticallyprocessed with other functions to satisfy multiple competingrequirements and sensitivity levels.

FIGS. 20, 21A-21D are discussed concurrently herein. FIG. 20 is a basicflow chart for one embodiment of the Secure Editor. Editor program 972begins with obtaining the source document 974. Of course, the sourcedocument may be any type of document as explained later herein. Step orfunction 976 obtains one or more filters for one or more security orsensitivity levels. Step 978 screens or processed the source documentwith the filter(s). For example, the source document in FIG. 21A inwindow 991 has text regions 993, 994, 995 and 996. In step 979, theSecure Editor displays, in situ (in the displayed document), thefiltered identified material and conforms the precursor document to thesecurity level protocols for the system within which the Secure Editoris employed as an information processing tool. FIG. 21B shows that theaddress data 993 is marked TS (top secret), region 994 is displayed incolor A for TS coding (please note that the addressee data may also beso marked) and is “red-lined” or struck out. Region 995 is displayed aspresented in the source document and is labeled U (unclassified) andregion 996 is shown in color B, is redlined and is labeled S. Labels TS,S, C (classified) and U are the established security labeling protocolused by the organization employing the Secure Editor. Other labelingschemes may be employed. Color is used to assist the user to select (andin some non-standard cases, deselect) the sensate data marked by theeditor. Redline is used to inform the user that the filter(s) willextract the marked data. Labels are used to permit the entity using theeditor to employ standard tear line protocol. Any data beneath asecurity classification of the user is under the tear line and the datais permitted to be distributed to the lower security cleared user. Ofcourse, electronic distribution of secure data need not use the hardcopy or print version of the tear line. However, this nomenclaturereferring to the tear line is used in the prior art systems.

Step 980 accepts the user's manual changes (typically upgrades) to theprecursor document. These manual changes are displayed, redlined,colored and labeled. Step 982 inserts the security label TS, S, C and Uhas discussed above. Step 984 notes that the system takes certain metadata such as author, date-time, version history, change history, etc.and converts this meta data into ordinary text, marks that data at thenecessary security level and labels the data. Step 986 permits the userto add (or omit) placeholders into the final document. FIG. 21C showsplaceholders as black lines or as XXXXX symbols (or other symbols)wherein the sensitive text is not shown but some replacement markers areshown. Th byline in region 1003 show “sanitized document.” The byline1003 in FIG. 21B lists the security level and the color representation.

Step 988 activates the filter, extracts the sensitive data andtemporarily stores the extracted data. Step 990 displays the filtereddocument and the user may view the filtered document at each securitylevel. Therefore, the user, before transmitting a secured email (orletter) may look at th source (FIG. 21A, may look at the TS level (FIG.21A) without the redline strike out but with security labels and colors,may look at the T level revealing regions 996 and 994 but not regions993 and 994 (which are TS coded regions), and look at U versions asshown in FIG. 21C. Step 992 disperses the extracted data and theremainder data or disperses partial versions of the document (thosepartial versions formatted and containing only data at or above thetarget security level (all TS level data (which includes TS, S, C and Udata), or all S data (comprising S, C and U) or all C data© and U)).

One feature of the present invention is that in step 979, the securitylevel protocol determines whether single words are granularly classified(TS, S, etc.) or whether a line is classified, or whether an entireparagraph is classified (see FIG. 21B). If a commercial/privacy filteris used to exclude all social security numbers, the organizationalprotocol is set at a granular level to exclude just social securitynumbers. Different group protocols use algorithms to mark, filter andextract adjunctive security sensitive words, characters, icons and dataobjects near the target security sensitive words, characters, icons anddata objects. The sensate words may be security sensitive words,characters or data objects defined by compliance with law, regulation orpolicy, privacy, national, organizational or private security concerns.For example, Bin Laden is the target sensitive word in FIG. 21B and thisclassifies the entire paragraph as TS level. The other words in theparagraph are adjunctive word/objects.

Document Object Model (DOM) Protection and Processing

The battle for data security has changed from protecting content to thebattle for concept and context. Sequential text files are the exceptionrather than the norm. Flat, plain, and sequential files would havedisappeared entirely from all but transitional processing steps exceptfor the recent success of HTML web sites and the desire for storage ofcomplex data into sequential XML formats. In spite of the apparentlinearity of HTML and XML, in practice these flat files participate in agreater complex hierarchy of structured data mapped by object models.The object models blur the lines between content, concept, and contextsuch that effective security requires a broader stroke than merelyencapsulating content with encryption and limiting access with tokens orencrypted certificates.

Linkages to external files, style sheets, and embedded applications orscripts undermine the simplicity of HTML and XML flat formats andcompromise point security. Even structured field or line andrecord-oriented file formats have given way to more complex data storagemodels. It is insufficient to view security of content and files interms of encryption and encapsulation alone. Structured object modelsmix content with metadata and methods such that non-granular access—thatis, either/or barrier-based access through encryption keys, dongles, andpasswords—undermines any concept of effective security.

Furthermore, simplistic document management and access control overlookthe multiple purposes for each compound data document and the adverseimpact on organizational processes and work flows. Barrier-basedsecurity also fails from any Pacman-style attack, where the barrier,once breached not only provides full access to the once-protectedinterior also interferes with analysis of the attack and observation ofhow to prevent the ongoing attack. Granular multi-level control of userdata, metadata, data stored through the specifications of a hierarchicaldata object model, and methods underscores the new security paradigm.This transition is most pronounced in Microsoft Office documents, suchas Word, Outlook, or Excel given the indiscreet distribution of sourcefiles. Office document publishing and Adobe PDF creation represents aminimal solution to the object model and metadata security risk.

All data sources important to data process workflow are non-linear,non-sequential, and not standalone in that the data sources areinterconnected to or required by other data sources. This includesdatabases, structured documents, desktop application user files,hierarchies of data structures, and work flows. The most advanced dataworkflow and the focus of attention is the object-oriented models usedin data processing today which comprise a cascade of events rather thana single point operation. This complicates security-related activitiessuch as security, survivability, privacy, confidentiality, andanonymity. The present invention improves the security of complexdocument object models and interdependent workflow.

There are only a handful of counterexamples to complex data structures,mostly monolithic file structures and simplistic processes. Thisincludes text files, raw binary image files, and lists. These aretypically inputs to older or uncomplicated computer activities; they donot reflect the complexity and interrelationships consistent with andnecessary for most critical networked data processing activities.Examples of flat files are text files, binary images, and lists.Plain-text documents are used only as temporarily or as conversion pathsfor other activities. Binary graphics are employed for their specificsimplicity, speed of display, and small size. It should be noted thatthey (BMP, GIF, and other formats represent the bulk of web images) areusually stored in an inverted backward last-to-first sequence. Listfiles are rarely important and standalone files are often a temporarypart of another process. One of the most ubiquitous of plain-text files,the HTML web page, is rarely a simple text file, but a circularconnection to many other like files and one part of a more complexhierarchy. A relative of lists is the field-oriented record structure.This is web page usually a grid-like storage of linear data. However,even a table grid, multi-dimensional indexing, SQL query concept isgiving way to object-oriented post-relational database storage methodsbased on object models in order to augment functionality, speed ofperformance, cross-platform and application functionality, and competewith easier to use user and developer products. Even the image files arebecoming increasingly complex. Hierarchical images formats with vectorgraphics compress motion and curves into small packages. Examplesinclude Corel Draw, Macromedia Flash, Adobe Photoshop, and MicrosoftPhoto. These of course contain proprietary andunintentionally-distributed information. Increased reliance on reliabledata storage infrastructure and networked storage technologies isenabling the transition to data storage based on object models.

FIG. 22 shows the root, branch, and leaf paradigm of this principal datastorage structure. See root 1012, content leaf 1014, branches 1016, 1018and leaf 1020. The object model refers to the layout or the map (ablueprint supplied by the document object model (DOM) vendor) of how thedata is potentially stored in what is definitely a linear file. Thestored file is the document object structure containing the data whereasthe model is the schema representation. The model FIG. 22 is just ablueprint for an empty data structure.

The data structure is stored as a binary file populated with datarepresenting a subset of that blueprint. The data file is often referredto as the document binary file so as to make clear that it is not aplain-text file, not in user-friendly format, and generally readable byan ASCII reader only in discontinuous chunks. The model and thestructure are not the same. The model (FIG. 22) does not represent asecurity threat in itself, it just represents how to find and definedata stored within an actual data structure. It is the data structure inmemory (the source document) or stored as a file that is the securitythreat. Usually, the file containing the data structure gives enoughclues to the purpose, methods, and sources . . . unless addressed by amulti-level security scheme attuned to the complexity of the objectmodel. Although this “file” is stored as linear flat file, the extendedstructures is dependent on the hierarchical collection of potentiallyinfinite branch and leaf references. Despite this complexity, there areclear reasons based on simplicity for this hierarchical structure, notthe least of which is flexibility, self-documentation, andbackwards/forwards compatibility.

The subtle differences between a plain-text file, a file containinglightly structured data, the schema, and a file containing data withinan object structure becomes very important for security. When files aredistributed and those files each contain data within object structures,workflow is complex and cannot be effectively protected withbarrier-based security without complicating or disrupting operations.For these reasons, internalized security reflecting leaf content,structural paths, and the mesh of inter-relatedness among the paths,leaves, and external sources becomes the next paradigm for implementingeffective content-level and application-level security. Consider thedata structure defined by an object model as an organizing container.The contents within can be empty, or collections of containers, withmore containers within. It is a security sieve with traditionalencryption and the requisite inter-process work flows. The leafs and thesecurity of the leaves does not secure a chain of evidence increasinglynecessary in modern data processing activity.

Enhanced security must reflect this distributed requirement since thedata sources are not single point sources, but complex relational,object-oriented, or hierarchical. In addition, data access andprocessing is approaching a worldwide distributed infrastructure, andcompletion transcends single places, times, and events. When thesecurity problem is dispersed, the security solution cannot bemonolithic either but must reflect the dispersed distribution andhierarchical complexity of the data and process. Location is not theproblem, so metaphorical perimeter walls are not the answer. To treatsecurity too as a monolithic, static, and walled solution when thesecurity problem is granular and dispersed within a flexible time framemisses its true need. Effective data security must reflect fiveinformational attributes in a newer paradigm for security. The fiveinformational attributes are listed below and examples of the attributesare also listed. For each security sensitive organization, the datastructure must be analyzed and the five attributes must be applied toeach root, branch and leaf to ascertain the level of securitysensitivity for that item. For example, a TS level may establish byapplying the five attributes that all audio files are “security safe”for that level but these audio files will not be downgraded or releasedto a lower level. Therefore the meta data representing the audio file isdesignated TS. Another example is that all machines at the securitylevel T are 2004 machines and programs. The organization may set, as apolicy, that all MS Office program meta data need not be backwardcompatible beyond 2004. This organizational protocol then reducessecurity issues relative to the backward compatibility issue.

Informational Attributes for Security  Purpose  Sources and methods    Ownership     Date or timeliness     Content   PurposeClassification - Exemplary Table .backwards compatibility (purpose:communication across machine platforms .background color (purpose:visual presentation) .font size (purpose: visual presentation) .image.video .audio .version control (purpose: source identification) .etc. Sources and Methods Classification - Exemplary Table    .origin plaintext    .origin entire document    .image    .video    .audio  Ownership Classification - Exemplary Table    .source, author   .security level initial document    .security level generatingmodifications to initial document    .hierarchical, orthogonal securityclassification     Date or Time lines - Exemplary Table    .versioncontrol    .source identification (includes all contributing     authorssupplying modifications)

These five security attributes reflect not only the data content butalso the point processes, embedded resources, and work flows.Traditional security methods fail at reflecting these attributes with aone-method-fits-all-mentality. A perimeter defense is an either/orproposition allowing or disallowing access in full, preventing anygranular or multi-level security. Multiple perimeters or different entrypoints through a single wall also fail presuming a linear or retrogradeprogression of access through rather an overlap or mesh of accesscontrols.

This metaphor fractures complex data processing workflow. Traditionalsecurity methods erect a monolithic perimeter around the process, files,delivery, or storage. Walls prevent sharing, access, and evenprocessing. Walls are a barrier to entry for all those who do not havethe permission to pass through that single door. It fails completelywhen that single entry point is permitted to be bypassed or any part ofthat barrier to entry is forced. It is monolithic security concept fordata sources and processes that have not been monolithic for more than20 years, Unfortunately, that outdated metaphor fails to reflect thatnot every access is through the same door and needs different controls.Data sources are not monolithic, and certainly data is not either.Distributed data, distributed processing, and widespread distributiondefeats monolithic security schemes. Encrypting and packaging data filesor their access methods represents a monolithic failure for complex andhierarchical data sources and processes. Access needs to be granular andmulti-level, and represent the five informational attributes presentedabove.

Implementing Document Object Model (MS Office) Security

As an overview of the process and the theories discussed herein,security flaws within Microsoft (MS) Office Suite result fromill-conceived data structures and because of the very integration thatmakes the Office so useful. Microsoft cannot repair these security flawswith bug fixes or security patches. Only a major overhaul by Microsoftof the suite and its constituent applications will eventually repairthese flaws by altering the Office workflow and processes. However,practical and realistic solutions for risk-mitigation presented in thispaper can be applied now. Neglect to address these flaws violates newprivacy and security regulations and perhaps borders on malpractice.These flaws are not the achievements of hackers and outsiders, althoughthey can be exploited by hackers, competitors, adversaries, and datamining analysts. They result from fundamental design characteristic ofall the MS Office Suites and each desktop productivity applicationseparately. Every MS Office binary document contains confidentialinformation. This ranges—from small amounts of information aboutauthorship—to the editing history complete with deletions, reviewercomments, file attributes, and source and routing information—toextraneous baggage from documents previously edited during the samesession. The unanticipated delivery of such sensitive informationrepresents a serious and credible risk through the loss ofconfidentiality, repudiation of privacy, breach of secrecy, and exposureto organizational sources and methods.

The present invention shows how to skirt these flaws. It defines theinherent application security risks and demonstrates offsetting securitymethods. The positive focus is on document security and controlledpresentation. While encryption is a partially effective solution, it isjust a point solution even when extended by public key encryption (PKI),Kerberos, or digital signatures. Encryption of MS Office documents hidesintegral risks until the documents are actually viewed, printed, edited,or emailed. Encryption breaks most work flows that are the statedbusiness goals for the Microsoft collaborative environment. Because ofthese security lapses, creating and implementing MS Office security, asexplained in this paper, must be implemented through a multi-facetedchange in behavior. It is also implemented by altered workflow processtailored to specific needs of each organization and attention topresentation formats used for distribution. This shows methods to secureMS Office documents despite these fundamental security design flaws.

A multi-faceted security workflow process becomes an issue over controlof distribution by document type, recognition and categorization of alluser content defined by security exons (discussed later), removal ofnon-coding or non-activating security introns (discussed later),preparation and distribution by clearance levels, content certificationand accreditation (C&A) subject to conversion to primitive andcertifiable file formats, distribution in print-representative-likepackages, with guarded ingress and egress of Office files. Finally,implementation of security through granularity of MS Office nodeelements by analysis for inclusion and exclusion is a far more effectivemethod, permitting collaboration within a multiple-usage infrastructure.

Microsoft Office Suite and Applications

The preeminence of MS Office in terms of functionality arrived withOffice 95. The innovative object-oriented hierarchical data model firstdeployed with Office 95 is now fundamental to all versions of Word andall MS Office applications. Yet, this data model itself createsfundamental security flaws. Feature and functional advances since Office95 clearly have value, but are increasingly aimed on workflow efficiencyand integration. Microsoft Corporation markets Office as a platform fordelivery of new services within a collaborative environment. Whilesecurity is a stated strategic objective for Microsoft in terms of isTrustworthy Computing Initiative, a lack of fundamental security designand ill-conceived workflow processes within Office undermines thisobjective. As such, MS Office represents a critical but widely-usedcommercial off-the-shelf (COTS) platform with significant inherent riskbecause of workflow and object data model design flaws.

Achieving Microsoft Office application security is significantly moreinvolved than obvious. MS Office applications represent vulnerabilityrisks at the file, operating system, process, and workflow levels. Nosingle approach for security is sufficient. Banning MS Officeapplications and MS Windows does not organizationally, politically,operationally, or even economically represent a viable security formula.The use of MS Office applications is so widespread that any outright bandoes not preclude delivery and reliance on these file formats andprocesses with any number of overt, covert, accidental, or engineeredrisks. In fact, alternatives include “work-alike” macro-languagefunctionality and file format support. The core security risks inherentwith MS Office have been coded into other such products, as well as mostother desktop productivity tools and off the shelf or COTS products.Work-alike competitors include Sun StarOffice, 602 Software OfficeSuite, WordPerfect, Lotus Notes with 1-2-3, and other OS-specific tools,such as MS WordPad delivered as an MS Windows applet. Use of oldertechnologies or a rollback to older technologies in order to improvesecurity is professional sabotage and undermines the increasedwhite-collar efficiencies observed with MS Office. It creates at best afalse sense of security due to the pervasiveness of MS Office documents.One may avoid creating them, but one will certainly receive them andneed to respond. Furthermore, security solutions must also reflect theneed for ongoing user support in products, usage, and processes. Forexample, Microsoft has specifically stated it will not issue anINCLUDETEXT patch for Word 97 because it is no longer a supportedproduct. This reinforces the notion that addressing security flaws is aprocess with currently supported and evolving products rather than acollection of point fixes and patches for released products.

Office Versions, Releases, and the Data Object Models (DOM)

MS Office is a security risk because of the interaction among the MSOffice applications and documents, the creation of metadata in binarydocument file formats, and the shift from one of results to that of areentrant and ongoing process. Document data has expanded from simplelinear files to complex object-oriented structures. FIG. 22, 23. MSdocuments are black holes in that what goes into them at any pointusually stays there. Additions, deletions, system information,redlining, reviewer comments, and routing become indelible parts of eachdocument. Many different versions of MS Windows, server extensions, andmany releases of MS Office or its constituents complicate security.Application features, bug fixes, security patches, and 3^(rd) partyadd-ins complicate the nightmare when assessing and ascertaining theexact composition of the MS Office environment. Client-basedapplications, such as InfoPath, Outlook, Outlook Express, InternetExplorer, the various scripting languages, plus server-basedapplications including Exchange, SharePoint Server, Net Meeting and LiveMeeting Whiteboard, Live Communications Server enhance the collaborativephysical coverage of MS Office but also correspondingly increasesecurity and privacy risks.

The MS Office document is forwards and backwards compatible across MSOffice releases. This means that Office 95 can open and alter Office2003 documents, and Office 95 can open and alter Office 2003 documents.However, “dead” internal structures are defined in obsolescence and newstructures have been added to the newer versions. Cut and paste amongthe Office applications adds non-native structures too. Therefore,results from file conversion, raw data, metadata, links, macro code, andstructural elements can be hidden accidentally or purposefully. It alsopossible for a sophisticated user to create new and undefined covertstructures ignored by all extant MS Office versions and tools, visibleor activated only by complex steps, since MS Office does not validatethe integrity and applicability of internal structures within a documentbinary file.

Security that is part of MS Windows or MS Office, such as userpasswords, file passwords, password-protected databases, fileencryption, and range protections are not sufficiently effective. Eventhe Windows Encrypted File System (EFT) and Active Directory (AD) merelypostpone inherent risk until files are distributed outside the perimeterof the encryption system. Other methods defeat overt security. A largenumber of tools recover passwords and unlock encrypted MS Office files,zipped files, adobe PDF distributions, or reverse engineer and open FAT,FAT32, and NTFS files. An Internet search with a browser or a filesharing program will uncover any number of freeware, shareware, trial,commercial, and pirated tools to do just this. Furthermore,collaborative sharing of an MS Office file requires that any such filepasswords be divulged to open the files; this exposes all the hiddenstructures, metadata, and security risks inherent in the document orreferenced resources.

A typical commercial installation will include any, all, or additionalcomponents as listed in FIG. 23. This chart does not included ASCII fileformats, printers, printer drivers, FAX drivers, HTML, XML, AdobePostscript or Acrobat drivers, Outlook or Exchange databases, and OLEdocument objects, plus other COTS products that integrate with Office,expect Windows or Internet Explorer components, use dynamic dataexchange (DDE), object linking and embedding (OLE), or exploit thekernels of Windows and Office. These all pertain to the process ofimplementing MS Office document security.

It is important to recognize that there are many file types and documentstructures associated with MS Office, specifically defined by the formalMS Office documentation at msdn.microsoft.com but also those shared withother MS Windows applets and competing products. Each MS Officeapplication, such as Word or Excel, create file binaries or binary fileswith different object structures but interchangeably read/write andimport/export each other's file types, embed portions as formatted textor complete objects, or link through remote procedure calls to theseother file types. These object model structures are generically calledthe Document Object Model (DOM). The DOM is another term for anobject-oriented data storage package. The purpose for the DOM withhierarchical storage of metadata is three-fold. First, it is useful forbackwards and forwards version compatibility. Second, metadata extendsthe document creation session from one-time event into an ongoingrevisional process. Third, metadata provides order and structureotherwise notoriously difficult for inherently free-form and flexibledocuments.

Metadata provides backwards and forwards version compatibility, aproblem that plagued the software market of the 1980s as upgrades werefrequent and disruptive. This is specifically missing with Access andits .MDB table space/workspace metaphor. Frequently, software upgradesincluded old data upgrade routines to convert old formats to new. Thiswas both risky and prevented reversion to the older software versiononce the converted data was used in the newer application. Metadataprovides the necessary blueprint, format, and structure retention sodocuments can be revised in future editing sessions. Try creating acomplex document in Notepad, which is a plain-text editor, to understandthe desirability of maintaining other channels with documentinformation. It is just that these other channels with documentinformation are packaged in the same file binaries for all Officeapplications. Consider how difficult it could be to reset typecharacteristics every time you reopen a document. This information ispart of the Office metadata, although style sheets and schemasmaintained in a different storage channel are valuable in HTML and XMLand might aid the future transition to a secure MS Office.

It is incorrect to assume a static basis for any MS Office applicationdocument structure, as a monolithic MS DOS-based file, or as anin-memory object. For example, the Excel DOM can be embedded inside aWord DOM, which selectively can then be pasted as a formatted objectinto a PowerPoint presentation. Because of this workflow, simple toolsand methods will not eliminate the security risk. It is not just a Wordproblem; law offices using mostly Word probably represent the simplestsecurity exposure. That is the exception, of course. In general, youhave to address the security through each DOM individually. Each versionof MS Office supports different object models, each application with thesuite has a different base object model. In other words, while somefeatures in Word 95 are still supported in Word 2003, other features inWord 95 might have atrophied and are no longer supported in the same wayor even not at all. In addition, Word 2003 has wholly new features andcorresponding extensions to the object model not recognized by Word 98.This demonstrates that metadata is version-specific and hidden whenanother version is upgraded with a newer one. Another concern thatarises in almost every Office document is imports, pastes, and OLEimbedding of other Office documents and aspects of the object modelcorresponding to that application type. For example, a base Worddocument with a spreadsheet and Project waterfall chart now includeseditable components referencing a different Office applications withdata in a structure referenced by that corresponding application objectmodel, in this case Word, Excel, and Project.

FIG. 22 shows each branch or leaf can be replicated indefinitely untilreaching the limits of Windows RAM or file size. Each MS Officeapplication has a different DOM. Because of DOM evolution, with the MSOffice assertion of backwards and forwards compatibility, realize thatsome nodes might exist in the binary document file but not everyfunction appears within each published output because it is not used bythe author.

A notepad text file in a corresponding word document has a 40 characterfile is stored by FAT32 in minimum 1 KB blocks, although its 1 KBstorage block only uses 40 characters (use a hex editor). In contrast,the basic Word document file requires 18 KB on initial saving, but afull 28 KB with edits and deletions, metadata, and redlining, as shown.Footnotes, font changes, hidden text, additional changes, headers, andfooters, table of content, indexing, an index, macros, .DLL add-ins,.OCX add-ins, and formulae could arbitrarily increase the file sizeindefinitely. This shows that MS Office security risks are reproducibleat any user desktop. A hex editor used in conjunction with an initialraw ASCII file and the corresponding .DOC file also shows risks. ASCIItext has only 40 characters despite the directory display of the 1 KBFAT32 block. The internal encoding of the .DOC file with initialcontent, the binary object structure and additional metadata arepartially encoded in a padded form of ASCII. The metadata displays thesource location of the document, removing possible doubts of filedirectory structures, security based on location obscurity, and otherrational workflow techniques for securing user files within the contextof a network infrastructure.

Although Microsoft admits these security flaws, it downplays the risk.MS Office represents a serious and credible risk for security, privacy,confidentiality, and integrity but some of these flaws result fromefforts to address version data set compatibility with upgrades, processflow reediting, and support for functional improvements. Not all the MSOffice risk vectors can be explored with Notepad. Most of the metadatais not visible ASCII text but rather encoded binary data and complexstructures. Use of a hexadecimal (binary) editor at www and sf-soft.comor another forensic tool web site reveals additional metadata in MSOffice products. The utility of forensic tools is critical to securitysuccess because of the complexities of desktop and server workflow, andalso because of the document structure itself. Binary pointers list thelocations of document node elements and other pasted or embedded datastructures. Although WinHex is useful to demonstrate several hiddensecurity flaws in MS Word, the simple hex editor only reveals thecontent of a simple DOS file or Word file as a monolithic storage unit.In reality, that DOS file is backed up, replicated, written, rewritten,and stored in duplicated extents throughout machine RAM, system buffers,and disk blocks and sectors. MS Word “fast saves,” versioning and plainbackups create a melange of risk vectors that transcend this paper, butare nonetheless relevant to anyone assessing system, MS Windows desktop,networking, and network neighborhood access control and security issues.Security really is a metaphorical ice field, and what you do not see andare unaware of can be catastrophic.

Microsoft is aware of these flaws and has published these thirteencategories of dirty metadata: Name; Initials; Organization name; Name oforiginating computer (desktop); Name of network server and/or harddrive; File properties and summary information; Non-visible embeddeddocuments; Names of previous authors; Document revisions; Documentversions; Template; Hidden text; and Author comments. Some of thismetadata is accessible through the Office application menu interfacethrough menus and dialog boxes. There are also the document fileproperties exposed by the Tools/Options pulldown menu and the UserInformation tab. The earlier explanations reveal that all dirty metadatacan be removed through menus and dialog boxes. Some of the metadatapersists indefinitely.

This is not the complete list of metadata. There are other categories ofrevealing metadata also known to create security risks but not fullydisclosed by Microsoft. Consider reviewer comments and redliningworkflow. This often includes embarrassing suggestions and the routingof the reviewed document. Other visible metadata with confidentialityrisk include: Footnotes; Cross-references; Table of Contents tags;Indexing tags; Hyperlinks; and Smart tags. Expect x-link and x-pointersplus style sheets and schemas within documents saved in the XML format.In addition, other undocumented structures are part of the extended andexpanding Office document object models. Consider fields and mail-mergefields, which are markers for information automatically inserted byOffice or by a user when opening, saving, printing, or emailingdocuments. These fields create a built-in facility for carelessinformation disclosure or overt hacking. There are also the documentfile properties exposed by the File/Properties pulldown menu. Thisincludes: File/properties; General; Summary; Statistics; Contents; andCustom.

Other security risks are not specific to MS Office. The techniques forinformation camouflage are equally valid in most any desktopapplication, and are most relevant to presentation output rather thanbinary file delivery. Information camouflage includes text set to smallfont sizes, such as 0 or 1, fonts set to type unlikely to be installedon the system which map to symbols or line drawing, PostScript orUnicode font sets with alternate encoding, and font color set to matchthe paper color or an applied background. White font on white paperhides text, black font on a black border or shading hides text too. Textcan also be hidden with graphics when the graphics are anchored to aspecific location congruent with the text. Color games with text andgraphics also hides the text. Macros, VBA (Visual Basic Application)codes, VBA add-ins, and applets also represent a security risk. Anythingthan anyone can imagine as an application can run from within MS Office,productive or destructive. Usually, these bits of code are stored aspart of the document metadata. However, they also can be out-of-channelfiles. Either way, they can be compromised by a new code that overwritesthe original. They also can be inserted through fields, formulae, ormenu add-ins. Collaborative tools are the most obvious entrée, butWindows security flaws also provide some interesting opportunities forOffice security exploits.

New features in Windows and other Microsoft digital rights management(DRM) applications, such as ORAPI, ADSI, and MS IRM provide forcollaboration, resiliency, and complex versioning and backup far beyondthe capabilities of MS Office.

Content Security

The differentiation of content within an MS Office document based oninitial owner and target distribution is important for informationsharing with coalition or business partners. Some content will bestrategic, some tactical, and other content can be downgraded bycensorship of information such that only target parties in-the-know canunderstand the context. This is accomplished by downgrading the contentwith a publishing format change, element removal and exporting within anew provably-secure format. Downgrading is a process well-known to themilitary, anyone who prepares of documents for release under the Freedomof Information Act (FOIA), paralegals who are in the known and delivercase information to the courts, and anyone censoring privileged or tradesecret information from distributed documents and email. For example,faxing a Word document to a legal adversary is acceptable since theimage is a controlled and published representation. However, delivery byWinFAX delivery of the editable binary file is unacceptable. WinFaxintegrates easily with MS Office and has that file delivery capability,which should be avoided for security reasons. As another example, iflegal eFiling rules necessitate delivery of a document within a binarydocument format, the MS Office document can be created as a printedpaper or file (Print to Text, Print to PCL, or Print to PS MS Windowsdriver options), output to a TIF image, print to an Adobe PDF file, orexported through a filtering sentinel as an ASCII test file. Note thatthe MS Rich Text Format (RTF) is not suitable because the RTF formatalso includes metadata. If font, table, and presentational format mustbe preserved—since ASCII does not support that—any image output is agood choice. However, be aware that postscript, Adobe Acrobat, and evenimages can be reconverted to a formatted binary document with conversiontools and optical character recognition; all metadata, edits, redlining,versioning, and workflow will be not be recovered, of course, which isthe essence of locating MS Office security flaws and implementingsecurity.

Content of MS Office documents transcends the actual presentation as aprinted page, slide, spreadsheet, database report, email message, anindex of documents, UML: or project waterfall, or organization chart.Microsoft Corporation is positioning Office as a platform for deliveryof new services; it is not just about a PowerPoint presentation or aWord document printed to a facsimile. The DOM is a project plan, with astructure, with components that do things and are sensitive of theirown. Recognize that MS Office security is also a cross-platform issue.Inclusions could be aimed at Macintosh, Unix, Linux, or other operatingsystems and even other document applications. Delivery of any MS Officedocument can represent a security on egress by containing proprietarydata and functions or by ingress as a carrier for a virus or Trojanvirus. Even Outlook email with its potential for rich-text formatting,HTML or XML content, links, inserts, and file attachments carries theentire MS Office risk with it to wherever and on whatever platform it isreceived. For example, the MS Office document could include an attack ona Linux-based SendMail server or client. While metadata and redliningcontain sensitive data, when integrated with webDAV interchange,InfoShare, Exchange, and other collaborative environments, they alsocontain workflow and traffic content which can be equally sensitive.

For these reasons, it is important to explore the MS Office DOM riskfactors: Content classification; Tagging; Clearance level; Data mining;Traffic analysis; Inference; Encryption; Digital Signature; Documentaccess linked to Fortezza (an encryption program/system), PC Cryptocards, smartcards, and n-factor authentication; Granularity; Strategicinformation; Tactical information; Common Criteria or NIST analysis;Covert channels; and Bell-LaPadula model conformance.

Content classification occurs with tagging for formatting with bold,indexing, and paragraph marking, explicit element tagging for HTML andXML or database and spreadsheet table, field, ranges, row, and columndesignations, as well as authorship techniques, such as “ . . .describes the formal issues of security introns in the next section . .. . ” Formulae and macros define ranges with informational content, aswell as indicate purpose and intent of the process as well as the targetdata. When content is tagged at the sideline, as in “eyes-only,” orwithin-the text with any label name for clearance level, as in “<1>,”this attests to a security level with an importance that exposessecurity lapses. Although MS Office 95 reached the utilitarian level ofadequate functionality, the new features of MS Office and the inclusionof photographic manipulation, pixel editing, vector graphics, charting,data sorting, Find and Replace, indexing, tagging, smart tags, links,and collaborative integration through such as OneNote, InfoShare,Outlook, and Exchange expose the MS Office documents file storeindividually and in aggregate to data mining techniques. For example, asubtotal of employee salaries within a pro form a business plan matchedagainst a list of employee names compared to a bank check ledger givesaway each employee's salary level; each document in isolation does notgive away information until several are merged and analyzed together.Direct analysis through record relationships and sorting is one type ofdata mining, human intelligence through inference or statisticalinference with set theory or Bayesian methods is yet another. Forexample, because you know that 6 employees are traveling to a conferencein D.C. and two others are not in the office, you can approach aparticular person who by inference is manning the station desk with avery specific social engineering attack. OneNote, InfoShare, Net Meetingand/or Live Meeting, Outlook, and Exchange with MS Project also enableworkflow routing, group editing, and acceptance signoff. Thisinformation becomes part of the document metadata so that trafficanalysis shows where the document originated, what changes were made andby whom, how it was routed by username, network, and IP address, who hasseen it and has access to it, and all process flow and comments. One ofthe secure prizes of organization information thus unintentionallypublished is the names of people within the organization and functionalroles.

Encryption, digital certificates, digital signatures, biometrics, andUSB or other hardware Fortezza access devices bind into workflows,access to applications, and access to specific files. For the most partthis represents and all-or-nothing security. An encrypted file means youcannot access it until it is decrypted; since MS Office files arenon-linear, partial decryption is more likely to prevent it from beingopened by any MS Office application. Once the key is provided, the catis out of the bag. If multiple users get the same key, it is likely thatkey will float around freely. Encrypting a document multiple times foreach user intended to access it is a workflow nightmare. Furthermore,encryption packaging does nothing to provide egress or ingress security,or handle the granularity issue. Encryption is effective at a low levelor when combined with the other methods described in this paper.

Security through granularity of MS Office node elements by analysis forinclusion and exclusion is a far more effective method. Multiple sourcedocuments create structure and semiotic meaning not in evidence withsubsets. This process breaks the context to prevent useful data mining,routing inferences, and the more powerful semiotic information methods.It allows for the separation of strategic information from the tactical,so that access is granular by role, user, and other discriminators. Manyacademic and implemented security models are in use today, both as astraw man and for certification processes. This includes the CommonCriteria, NIST certification, and the Bell-LaPadula security conformancemodel. These models assert the need for air gaps (non-electronicpathways to transmit information) between organizations with differentsecurity levels, but do not provide a means for information sharing aslegislated by the 2001 Homeland Security Act or normal organizationalcollaboration or data processing workflows. While they do address thepotential for covert channels (insertion of content in alternate formatsor encoding) and how to protect against them, the methods are noteffective except at a very superficial level. Instead, MS Officesecurity must be implemented at an intron level, as described laterherein.

Implementing Document Protection

Several steps are prudent to enable MS Office document protection. Thefirst step is have a network guard (see FIG. 16) that filters allincoming and outgoing traffic for MS Office document files andquarantines them. Spam and virus filtering is necessary to precludesystem, resource, and file exploits. URL filtering, quarantine lists,black lists, white lists represent the minimum responsible approach.Ingress files can harbor viruses, etc. Outgress files can harborprivileged information at any and all levels of the DOM. With a means tofilter and check every node for purpose, content, metadata, formats,structure, comments, links, and so on, there is no other way to vet theintegrity of the file.

It is insufficient if not impossible to remove metadata. Removingmetadata from the files binaries often irrevocably corrupts files—sothat they will not print, save, or be in any way recoverable with theautomatic corrupted file recovery tools. The only complete answer is towalk the object model and assess the purpose and content of eachsubstructure, inclusion, or node element at a granularly content andfunctional review. By the way, this makes it possible to vet a documentas provably secure. The document can then be published, exported, orrecreated within a new context suitable to the organization workflow andsecurity needs.

MS Office is not the only application to rely on a DOM or documentobject model. Most other modern desktop applications utilize the samebackward and forward extensible structure, but characteristically createsimilar security risks. With respect to Adobe Acrobat files, metadatabecomes a visible part of every mastered Acrobat file even though itmight not be any part of the source MS Office document exported as anAcrobat package.

Prior art efforts to scrub MS Office documents represent partialsolutions at best and a false sense of security at worst. Microsoftposts a Knowledge Base article on metadata (MSKB Q 237361), the helpnote, “Get rid of tracked changes and comments, once and for all” and acommercial product called Metadata Assistant automates these genericprocesses. The promise is not a full solution; it is partial at best.These solutions might get the metadata in the master document, but notfind the hyperlinks, the subdocuments, or confidential information stillin plain view. Since a typical document is compounded from more thanjust Word and Excel, and often is part of a process, as in Outlooke-mail with document attachments, scrubbing has to get each piece andwalk the object model for content.

DOM Process Editor

Document object model (DOM) source documents, and particularly Officedocument modules, comprise the blueprints, process, external datasources and linkages, and materials for building the resultingpresentation; the presentation content is usually the ultimate endproduct. The blueprints and process often are immaterial to thepresentation and represent proprietary and confidential material. Thedelivery of a document is not the same as the publishing or delivery ofthe presentation content. The difference is a significant security gap.While this DOM object model flexibility represents programming andworkflow innovations, this flexibility was not created within thecontext of security or the knowledge of the power of data theft anddamage. This DOM object model complexity and diverse accessibilitycreates security issues. Simple wall barriers, such as encryption, fail.It breaks the workflow, prevents sharing, control, and flexibility.

Effective DOM (Microsoft) and metadata security, requires adherence tothe five informational attributes discussed earlier. The objecthierarchy structure is variously described as a binary tree, categorystructure, or hive. In any event, the entry point is the root or base,containing a potentially infinite number of subcategories, each with apotentially infinite number of leaf items. See FIG. 22. The structurecan be pruned, deleted, or rearranged. The items representobject-oriented information, from entire subdocuments, to relationaldatabases, layered graphics with vector elements, to simple plain-text,to a single binary numerical element.

The process requires a parse of all branches to each and every leaf.This process is not recursive, just extensive. Each path is examined forcontext, each leaf for content, all nodes for external references, andeverything must be viewed within the context of sources and methods, notjust obvious content. The obvious content is what the user created andsees, but as you now know, that is a minor portion of the data containedwithin the document object structure. This is a paradigm shift is shownin the hierarchy below:

Table for Processing DOM For each document (the file and structure)  Access the root     For each limb       For each branch         Foreach sub-branch           For each leaf (item)             Process eachleaf

Preservation of the path to each leaf is important as it defines theaccess to that data element. The existence and/or null value of the leafrepresents a security control point. The model defines, withsupplemental external knowledge of the object model, the possiblesecurity risks. The model and the content are not separate from externalknowledge of sources and methods. The leaf is for all intent andpurposes the significant security control point. Hiding, encrypting, orremoving the leaf does not provide security any more than encrypting thedocument file does. It breaks the workflows to do so. However, it ispossible to review and alter the contents of the leaf within the contextof the purpose of the leaf to retain functional access with multi-levelsecurity.

Five Informational Attributes

Specifically, lets review the five information attributes of security incontext to processing the leaf, purpose, sources and methods, ownership,date or timeliness, and content. Although most security methods seek toobscure content, the last and most insignificant item, effectivesecurity must review the four other elements as well as those itemsinteract with the organizational aspects of the entity imposing thesecurity system on its users. The entity must establish protocols whichrate or prioritize the five information attributes on each root, branchand leaf in the DOM source document. With the system initialized in thismanner, the processing of the DOM document within the parameters of thesecurity entity is accomplished.

Purpose

How does the purpose of the leaf provide context, purpose, orinformational reference to the document as a whole or the individualleaf? Does it provide source, destination, authorship, viability,validity, verification, or integrity to the document as a whole or theindividual leaf? Consider the value of processes imbedded in thedocument as cell formulae, a help file, or other complex routing wizard.Does it show linkages or references to other documents? What is itsstatus or position within the document? What is its element position, asa headline, footnote, or redlined status? These seemingly minor detailstranscend actual content but provide clues to the following attributes.

Sources and Method

Intelligence agencies stress the confidentially of the sources andmethods used to gather information. The information itself might ormight not be important, but the ongoing care of the sources and methodsis important for future information gathering activities and retentionof any status quo until action is initiated. In addition, the viability,validity, verification, or integrity of the document is predicated bythe viability, validity, verification, or integrity of the sources andmethods used to create it. In terms of the Office document, this type ofinformation is both contextual, leaf content, and metadata. To presumethat security is only user content at the leaf misses the value ofmetadata and the inherent risks of the object-oriented document format.For example, authorship, source, source dates, editing dates, deletions,redlining, notes, footnotes, MS hidden text, links, and other structuralelements describe when, how, where, and who created the document. Thisspeaks to the viability, validity, verification, or integrity of thedocument as a whole, and can compromise past, ongoing, or future datacollection efforts and operations.

Ownership

Ownership is reflected both in leaf-level content—that is obvious when adocument is presented or published—but also in the metadata. Ownershipis also a characteristic of file storage properties, in ring rights,file storage position, linkages, SMB or network file access rights, andHTML references. Ownership, particular the number of links, the timesaccess and edited, numbers of hits, and the level of churning, suggeststhe relative importance and merit in the document.

Date-Timeliness

Date or timeliness reflects currency. The dates, in terms of edit times,access times, and frequencies suggest the relative importance and meritin the document. Touch and other file-level commands can only mask theovert date and timestamp of a file, not its purpose or content, truetimeliness, or merit. This information is spread through the metadataand leaf content. In some hierarchical structures, this information isstored in tables or other structures apart from the immediate documentroot. When a document is a relational data structure, as in Access orSQL, hidden system fields and hidden security data define edit anddeletion times. It is also important to recognize that in databases,records which are deleted by the user are only marked as deleted butpersist until the database is purged, packed, cleaned, compressed, orotherwise processed in a maintenance mode. When relational technologywith transactional logs and rollback facilities are enabled, data can berecreated or dated despite many types or natural of instigateddisasters. This supplemental metadata defines date and timeliness too.

Security

Security of content can be compared to erecting a barrier around thatcontent. However, when content becomes a collection of simple dataelements along with data objects, dispersed and distributed sources,effected by embedded events and triggered methods, barrier-basedsecurity completely fails with any breach and is not effective for themore complex object structures.

Human intelligence can ascertain content from some parts of thedeclassified whole. Even distributed and dispersed content can provide acoherent view of the concept and context. In such cases, partial contentdefines the concept and the context. The details, which are extractedand hence missing from a particular reconstituted slice of thereclassified source. While amounts, times, places, and participants aremissing or represented by placeholders and even misleading information,external sources of data will confirm and elucidate the missingcontents. It becomes important to extract and disperse enough of theobject model elements and metadata to obscure the concept and context aswell. This process addresses the shortfalls of the single fileencapsulation and encryption opening a functional avenue for multi-levelaccess control of even the most perverse but prevalent of the MS Officedocument object models.

While content is king in most security systems, it is not the onlycritical aspect of a source document. In terms of protecting andprocessing an Office document, each leaf must be processed and assessedfor its security needs. Note again that each leaf may be anotherobject-oriented structure in its own right or a simple element. It willneed to be processed and assessed accordingly. This means the leaf mustbe evaluated for content, then ignored, encrypted, extracted, ordispersed. The present inventive system can also mask, replace, or seednew content at this leaf. Reconstitution is represented by a recoverymap with leaf path reference, a multi-level scheme, and multi-level dataprotection. This enables full or partial reconstitution as directed.

Security Introns and Exons

Terminology employed in connection with the operation DNA(deoxyribonucleic acid) provides an appropriate metaphor for the MSOffice document object model or any other DOM model. While the DOM isseparate from an MS Office binary file, it defines the purpose of thatfile and maps its activation. The DOM “genes” are expressed into thefile binaries only as specifically referenced, and frequently divergefrom the pure MS Office application as genes from other OLE (objectlinking and embedding) applications are embedded into the document. TheDOM and the expressed document can mutate for better or worse, and bothbackwards and forwards the document is adaptable just like DNA, withunforeseen consequences including the profound security flaws evidentwithin the MS Office workflow.

In genetics, an intron is any non-coding or non-activating sequence ofDNA initially copied into RNA but cut from the final RNA transcript orunknown as to singular or recombinant purposes. Introns are excluded orignored in the DNA process. An exon is a coding or activating sequencewith a known purpose that is actually used or one that is unknown as topurpose but nonetheless still used. DNA is, of course, the blueprint forlife. RNA is the functional transcript of the DNA blueprint used forcell division and replication. Exons are the useful portions in the DNAcycle.

In the object model, the DOM is metaphorically the DNA blueprint for anMS Office document whereas the actual Word, Excel, or Outlook message isan expression of the RNA as a functional transcript. Correspondingly,the security intron is any document branch, leaf, or node element with anon-coding, non-activated, or even unknown control utility for thedocument. From a security standpoint, each and every intron represents anon-qualified element that is a potential security risk. Securityintrons are ignored or deleted. A security exon is any document branch,leaf, or node element serving an end purpose. Each exon in a MS Officedocument becomes a certifiable data element.

Unless each such security intron and security exon in the sourcedocument DOM can be vetted for credentials; those that express potentialfor danger must be removed, and those that express non-coding,non-qualified, or unknown utility must be removed and/or quarantined.This security method corresponds to existing virus scanning technology.All known files containing a virus or matching a virus signature arealtered and repaired, or in lieu of that quarantined. However, in the MSOffice document object model (unlike all the EXE files today), thegranularity of node element control allows us to decompose the contentsin its entirety and reassemble a vetted distribution inprint-representative-like packages. Not only are known security risksextracted, potential risks quarantined, in addition, all unknowns can beremoved safely without corrupting the MS Office file binaries. Whenadvanced security requirements require it, all content within thedistribution in print-representative-like packages can be examined usingexisting analysis tools for analysis of content-based privacy, security,and utility risks. In essence, the process for implementing MS Officesecurity has extended the 2-phase of virus detection into a moreexacting granular 3-phase process. This is effective for DOM, HTML. XML,databases, and any structured file binaries. It is not effective forexecutable code that could contain worms, viruses, and other plaguesbecause these files lack clear structures with definitive nodes. It isonly because of the DOM itself that MS Office documents can be filteredat so exacting a method; most freeform or zipped executables cannot bedisassembled reliably with reassembly after scanning intostill-functioning applications. The standard 2-phrase process transformsinto a 3-phase process where DOM node elements are coded either as exonsor introns, and thereafter processed accordingly for inclusion orexclusion.

The improved accuracy of 3-phase scanning of documents within thecontext of an object model is apparent. While the traditional 2-phasemethod find actual virus procedures within a source document, it alsomiscodes several other sequences as viral. The viral signatures yieldfalse positives and false negatives. The accuracy of such process willalways include statistically measurable false negatives and positives,thereby missing true threats and removing non-threats. The 3-phaseprocess improved on the 2-phase process with granular deconstruction ofthe document and subsequent recoding of both false positives and falsenegatives to yield a higher rate of accuracy. Security introns will beremoved on a scalable and configurable basis in order to conform tosecurity requirements, but like with virus signature updates, better DOMmaps mean better intron handling. Although this technology cannot beapplied for worm and virus detection until all executable applicationsare created with a typed binary structure, it is relevant toimplementing security for MS Office and COTS applications using adocument object model for storage.

FIG. 24 shows the General DOM Editor program 1022 in a flow chart form.Step 1024 is the initialization that is employed by the security entityto set up the program. Step 1026 obtains the DOM layout or blueprintfrom the DOM vendor. Step 1028 notes that for each root, branch and leafin the DOM, the information attributes must be prioritized with th thesecurity organizational informational attributes. For example, the audiofiles of potential Bin Laden voice prints may be critical at TS and Slevels but be completely excluded at C and U levels. Therefore, anyaudio files below C and U are security introns which are excluded orignored.

Step 1030 obtains the source document DOM. Step 1032 maps the DOM sourcedocument as a binary file populated with content data and meta data as asubset of the DM blueprint. Step 1034 identifies security exons to beincluded in the further processing of the item and identifies securityintrons to be ignored or excluded in the processing. Step 1036 convertssecurity exons at each root, branch and leaf int security safe form andformat (for example, a safe DOM template), and generates a safeblueprint or map for the precursor DOM and discards all securityintrons. Step 1038 processes the content of the safe DOM with securityfilters discussed above. It also processes all data objects (exons) fromthe safe DOM with granular filters. Data is dispersed as necessary andretrieved and re-assembled as necessary with a safe map.

DOM Template Editor

The following tables present the current collection of methods foroffsetting MS Office security flaws.

Template - Editing - Publishing Table 1. Start with a clean template 2.Write-protect templates  Attached template(s) or styles for other MSOffice documents  Normal .DOT  Clean up .DOT 3. Edit cleanly  DisableVersioning  Disable Change Tracking  Periodically “Accept Changes” topurge change log and save  or save as  Disable Fast Save  InstallPatches for “Unwanted Data”  Do use comments, not hidden text  Do notuse footnotes, end notes, table of contents, index, links, 4. RemoveReferences - Convert into Safe Text and Function mode  URL (covert tonon-function form, such as “www and pto.gov”)  Hyperlinks  Pointers References  hidden text, headers, footers, footnotes, endnotes, tablesof  contents, index, links, can establish a context or cerate a semiotic inference to other documents or sources (copy content  andpaste into safe DOM, for example, all footnotes and  endnotes are shownas [data here] where the  footnote appears int eh text) 5. Paste . . .do not embed 6. Publish . . . do not send a file  Print  Fax as image(not as binary document in WinFax or eFax, etc)

FIG. 25 shows a flow chart of a basic application for a DOM Editor forMS Office document.

Step 1042 initializes the system. Step 1044 obtains the source DOMdocument and notes that all processing occurs after a spam and virusfilter. Step 1046 notes that the program creates or is provided with asecurity safe DOM document and map. Step 1048 notes that a template isopened. A clean .DOT template (Word) or whatever the new document typeis opened for the specific application. The Normal.DOT or NewSpreadsheet.XLS on the MS Office distribution CD is safe. In Visio, forexample, start with a new chart. Older documents saved as templates tendto accumulate unanticipated metadata. If one must use a non-standardtemplate, clean it up. View it as both a printed document, as a binaryfile, and as a document object. Write protect the templates, or storethe templates as non-modifiable networked volume. If the templates areused throughout the organization, create a network store for them andconfigure each user's installation of MS Office to look there for thetemplates. Search the network for duplicate copies of these templatesand eliminate them.

If changes from any version of MS Office to another version aremade—this can be a regularly upgrade or a even a downgrade—create newdocuments and cut-and-paste parts of prior documents into new ones. Losethe older files and templates. If you receive or open an Office documentin either an older or newer version, create new documents andcut-and-paste parts of prior documents into new ones consistent with theMS Office version that you use.

Step 1050 disables edit controls and step 1053 copies content. The pointis one must edit cleanly. This is not a single step but rather aprocess, both one time and ongoing. Disable versioning in step 1050 toprevent a buildup of past versions of the document. With versioning,prior sessions will be stored as document.doc 1, document.doc 2, and soon. These tend to get entwined with the latest version. If workflow withInfoPath, Outlook, or other collaborative workflow tools createsduplicate copies of the source document file for each user. Step 1050includes the concept that the system is configured to store a singlenetwork copy instead. Preserve an audit trail and backup with a systembackup rather than versioning. Disable change tracking in step 1050 tocurtail the buildup of additions, deletions, and changes that transcendthe publishing intent of the document. If redlining is necessary,establish guidelines for periodically accepting changes to purge changelog. Use the command to save the document without the change log withFile/Save or File/Save As. Do not use nor rely on fast saves, timedsaves, or file recovery after a MS Office crash to purge the dirtymetadata. After a crash, reopen the document, save the document under anew name. Close the Office application. Delete the old fileprecipitating the crash. Rename the new file under the old name. Reopenthe Office application.

The security organization must make deliberate and conscious decisionsto install or ignore patches. Office updates or service releases fixbugs and security flaws but do not repair the fundamental securityflaws.

Step 1054 locates text in footnotes, hidden text, etc and eitherdiscards or ignores the subtext because those items are consideredsecurity introns or copies them into a safe DOM text form and disablesfunctions, if necessary. Use comments instead of hidden text. It isdocumented as a feature so it can be found rather than accidentallyuncovered. Hidden text with a font color change or font size changelooks like an artifact that most users will ignore or delete. Avoid theuse of headers, footers, footnotes, endnotes, inserts for table ofcontents, index and the like. These appear only in the printed outputunless specifically viewed from the View pulldown menu. Such links alsocreate a lot of dirty metadata beyond what is visible even duringediting that persists until changes are accepted. Remove references fromthe source document. This is subtle, but very important when documentsare specifically posted or even inadvertently listed on web sites.References include other files, documents, hyperlinks, and otherpossible embedded formatted materials. These references create theability to infer quite a lot about the purpose of the document fromother related documents in the same directory, by the same authors, andthe types of other documents. For example, a spreadsheet stored with areport that is not overtly included in the report suggests that issource material that has not been reviewed with an eye towards privacy,security, or client privilege.

Paste and copy images, cut text, formatted text, pie charts, recordsets, slides, waterfalls, milestones, organizational charts as plaintext or an image rather than formatted Office objects. If the embedcommend is used, all the metadata baggage from the other Officeapplication is now added to the metadata in the target document. Sincethat metadata baggage is not native to the target document application,it is inaccessible and truly hidden. Tools, such as Metadata Assistantwill not find Excel metadata within a Word Document, Word metadatawithin an Excel spreadsheet, and none of them within an Outlook note ormessage.

Step 1056 notes that a clean map for the security cleared DOM documentmust be created.

Step 1058 executes the editor or granular filter and dispersal routineas necessary. The distribution or push of partial security clearedversions of the text can be included in step 1058. Consider publishingyour presentation rather than sending a binary document. Although“Publish” is anew feature to Office 2003, the intent is more important.The process for publishing is to create anew distribution and deliveryformat limited to the visual presentation elements containing none ofthe DOM blueprint and none of the DOM metadata with it inherent securityissues. In simpler words, create a new output version of the document.Print it on paper (the classic air gap information transfer). Print itto a file. Print it to an image. In some way, alter the format topreclude distribution of the DOM with the document blueprint and itsmetadata. One does not need the source document DOM blueprint for apresentation; the presentation is the final product. If presentationsare needed for revisions, regulation review, or continued workflow,change the binary document format. Printed documents can be capturedformatted by optical character recognition, such as with OmniPage. Textfiles can be read by Word. Spreadsheets as text files can be importedand formatted by Excel. If the organization needs formatting retainedfor revisions, delete all pending revisions, copy the document inpieces, paste into a new document, and save it as a new document. Theproper concept set forth herein is to recreate the MS Office document ina “format-neutral” file to remove blueprint and metadata.

The claims appended hereto are meant to cover the scope and spirit ofthe present invention.

The invention claimed is:
 1. A computerized method of securing data in aplurality of security controlled data stores with access controlsthereat, each data store having a defined security level, said datapotentially having sensitive content defined as sensitive words, dataobjects, characters, images, data elements or icons, comprising:separately storing sensitive content in secure data stores of saidplurality of security data stores at the respective defined securitylevel for said sensitive content; permitting reconstruction of some orall of said data with appropriate access controls applied to respectivesecure data stores; and said storing or reconstruction based upon (i)territorial protocol and a geographic location signal or (ii) atriggering event; and at least one of: prior to storing, at least one ormore of tagging, labeling, or classifying said sensitive content in saidsecure data stores; or concurrent with storing, at least one or more oftagging, labeling, or classifying said sensitive content in said securedata stores.
 2. A computerized method of securing data as claimed inclaim 1 wherein said storing includes at least one or both of filteringor extracting said sensitive content in said secure data stores.
 3. Acomputerized method of securing data as claimed in claim 1 wherein saidstoring includes at least one or both of removing or copying saidsensitive content in said secure data stores.
 4. A computerized methodof securing data as claimed in claim 1 wherein said storing includes atleast one or both of filtering and transferring or extracting andtransferring said sensitive content in said secure data stores.
 5. Acomputerized method of securing data as claimed in claim 1 wherein saidstoring of said sensitive content in said secure data stores includes atleast one or both of partially or completely storing said sensitivecontent in said secure data stores.
 6. A computerized method of securingdata as claimed in claim 1 wherein said storing of said sensitivecontent in said secure data stores includes partially or completelystoring said sensitive content in said secure data stores with at leastone of encryption or parsing of data.
 7. A computerized method ofsecuring data as claimed in claim 1 wherein said sensitive content isdefined as at least one of security sensitive content, content ofsignificance, trade secret content, personal identifying information,content subject to regulatory provisions, or back-up content and saidrespective ones of said secure data stores are correspondinglydesignated as at least one of security sensitive stores, stores forcontent of significance, trade secret stores, personal identifyinginformation stores, regulatory provision stores, or back-up stores.
 8. Acomputerized method of securing data as claimed in claim 1 wherein saidstoring of sensitive content in said secure data stores includes atleast one or more of storing in predetermined security data stores,storing in a predetermined manner by random selection of security datastores, storing by data class in said security data stores, storing databy data type in said security data stores, or storing by level ofsecurity in said security data stores.
 9. A computerized method ofsecuring data as claimed in claim 1 wherein said storing of sensitivecontent in said secure data stores includes storing data in saidsecurity data stores in a predetermined manner with an algorithmicselection.
 10. A computerized method of securing data as claimed inclaim 1 wherein said storing of sensitive content in said secure datastores includes storing data in optical media data stores.
 11. Acomputerized method of securing data as claimed in claim 1 whereinstoring of said sensitive content is done separately with respect to atleast one of remainder data, left-over data, non-sensitive content data,surplus data, residue data, remnant data, or data complementary tosensitive content data.
 12. A computerized method of securing data asclaimed in claim 1 wherein permitting reconstruction includes at leastone of reassembly, reconstitution, regeneration, compilation,reorganization, reclamation or reformation of some or all of said datawith appropriate access controls applied to respective secure datastores.
 13. A computerized method of securing data as claimed in claim 1wherein permitting reconstruction includes the use of at least one ofpredetermined access controls, assigned access controls, access controlsgenerated with said storing of said secure data, or access controls andencryption.
 14. A computerized method of securing data as claimed inclaim 1 wherein permitting reconstruction includes at least one ofreassembly, reconstitution, regeneration, compilation, reorganization,reclamation or reformation of some or all of said data with appropriateaccess controls applied to respective secure data stores.
 15. Acomputerized method of securing data as claimed in claim 1 wherein saidaccess controls are applied to at least one or more of predeterminedrespective secure data stores, associated respective secure data stores,correlated respective secure data stores, or designated respectivesecure data stores.
 16. A computerized method of securing data asclaimed in claim 1 wherein the method of securing data is deployed in aclient-server computer system with at least one server computer and aplurality of secure data stores, said server operatively coupled to atleast one client computer and said secure data stores over acommunications network, said server effecting said storing of sensitivecontent in secure data stores of said plurality of security data stores;and said server controlling the application of said access controls. 17.A computerized method of securing data as claimed in claim 1 whereinsaid sensitive content is at least one or more of: select sensitivewords, data objects, characters, images, data elements or icons; definedsensitive words, data objects, characters, images, data elements oricons; known sensitive words, data objects, characters, images, dataelements or icons; certain sensitive words, data objects, characters,images, data elements or icons; a collection of sensitive words, dataobjects, characters, images, data elements or icons; a plurality ofpredetermined sensitive words, data objects, characters, images, dataelements or icons; or a plurality of predetermined sensitive words, dataobjects, characters, images, data elements or icons having differenthierarchal or orthogonal levels of sensitive content.
 18. A computerizedmethod of securing data as claimed in claim 1 wherein said sensitivecontent is at least one or more of: portions of predetermined sensitivewords, data objects, characters, images, data elements or icons; orwords, data objects, characters, images, data elements or icons whichare not from a plurality of predetermined words, data objects,characters, images, data elements or icons.
 19. A computerized method ofsecuring data as claimed in claim 1 wherein said sensitive content isrelated to sensitive words, data objects, characters, images, dataelements or icons, by at least or more of a function or a meaning.
 20. Acomputerized method of securing data in a plurality of securitycontrolled data stores with access controls thereat, each data storehaving a defined security level, said data potentially having sensitivecontent defined as sensitive words, data objects, characters, images,data elements or icons, comprising: separately storing sensitive contentin secure data stores of said plurality of security data stores at therespective defined security level for said sensitive content; permittingreconstruction of some or all of said data with appropriate accesscontrols applied to respective secure data stores; and said storing orreconstruction based upon (i) territorial protocol and a geographiclocation signal or (ii) a triggering event; wherein said access controlsare applied to respective secure data stores in at least one of thefollowing manners: said access controls applied sequentially torespective secure data stores; said access controls applied concurrentlyto respective secure data stores; said access controls applied torespective secure data stores subsequent to application of a securityprotocol; said secure data stores are mapped and said access controlsare applied to obtain the mapped secure data stores; or said accesscontrols are applied subsequent to an exchange of compensation or anexchange of data, said access controls applied to respective secure datastores subsequent to application of a hierarchical security protocol.21. A computerized method of securing data in a plurality of securitycontrolled data stores with access controls thereat, each data storehaving a defined security level, said data potentially having sensitivecontent defined as sensitive words, data objects, characters, images,data elements or icons, comprising: separately storing sensitive contentin secure data stores of said plurality of security data stores at therespective defined security level for said sensitive content; permittingreconstruction of some or all of said data with appropriate accesscontrols applied to respective secure data stores; and said storing orreconstruction based upon (i) territorial protocol and a geographiclocation signal or (ii) a triggering event, and wherein the method ofsecuring data is deployed in a client-server computer system with atleast one server computer and a plurality of secure data stores, saidserver operatively coupled to at least one client computer and saidsecure data stores over a communications network, said server effectingsaid storing of sensitive content in secure data stores of saidplurality of security data stores; and said server permittingreconstruction of some or all of said data by controlling theapplication of said access controls to respective secure data stores.22. A computerized method of securing data in a plurality of securitycontrolled data stores with access controls thereat, each data storehaving a defined security level, said data potentially having sensitivecontent defined as sensitive words, data objects, characters, images,data elements or icons, comprising: separately storing sensitive contentin secure data stores of said plurality of security data stores at therespective defined security level for said sensitive content; permittingreconstruction of some or all of said data with appropriate accesscontrols applied to respective secure data stores; and said storing orreconstruction based upon (i) territorial protocol and a geographiclocation signal or (ii) a triggering event; wherein the method ofsecuring data is deployed in a client-server computer system with atleast one server computer and a plurality of secure data stores, saidserver operatively coupled to at least one client computer and saidsecure data stores over a communications network, said server effectingsaid storing of sensitive content in secure data stores of saidplurality of security data stores.
 23. A computerized method of securingdata in a plurality of security controlled data stores with accesscontrols thereat, each data store having a defined security level, saiddata potentially having sensitive content defined as sensitive words,data objects, characters, images, data elements or icons, comprising:separately storing sensitive content in secure data stores of saidplurality of security data stores at the respective defined securitylevel for said sensitive content; permitting reconstruction of some orall of said data with appropriate access controls applied to respectivesecure data stores; and said storing or reconstruction based upon (i)territorial protocol and a geographic location signal or (ii) atriggering event; wherein the method of securing data is deployed in aclient-server computer system with at least one server computer and aplurality of secure data stores, said server operatively coupled to atleast one client computer and said secure data stores over acommunications network, said server permitting reconstruction of some orall of said data by controlling the application of said access controlsto respective secure data stores.